0a2bea9bde8aa624311b25022fd2365e3ec4621a278d895117774c720f65fc30

General

Target

27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe
Size

969KB
MD5

27adce6c27fcfb3b7ed8438777046300
SHA1

f0b75460ceef6d332f4710e5d69b4420c73b4c46
SHA256

0a2bea9bde8aa624311b25022fd2365e3ec4621a278d895117774c720f65fc30
SHA512

abae87e31992f2fd2d0db80db866ab469f638ab34fd2a7775a520ec9200ae3af5d000f5af27e2c1ee754af0bfd410a43b27e856d48ec62226a5c1663e15878d6
SSDEEP

24576:PVcmQleMs74UTNyehoJRxmzy9J1zK8CBvKka/ZSsD0TCIOhPe6BWqLp:tceM6oeSJRxn9q8Cgkg3D0GIOhPe6BWM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4548	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
22	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4924	3012	WerFault.exe	89
2356	4548	WerFault.exe	94
1948	4548	WerFault.exe	94
3556	4548	WerFault.exe	94
764	4548	WerFault.exe	94
5100	4548	WerFault.exe	94
1744	4548	WerFault.exe	94
1144	4548	WerFault.exe	94
3088	4548	WerFault.exe	94
4868	4548	WerFault.exe	94
208	4548	WerFault.exe	94
2288	4548	WerFault.exe	94
4280	4548	WerFault.exe	94
2176	4548	WerFault.exe	94
5112	4548	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe
4548	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4548	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 4548	3012	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe	94
PID 3012 wrote to memory of 4548	3012	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe	94
PID 3012 wrote to memory of 4548	3012	27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe	94

C:\Users\Admin\AppData\Local\Temp\27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 344
  2⤵
  - Program crash
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 352
    3⤵
    - Program crash
    PID:2356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 636
    3⤵
    - Program crash
    PID:1948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 652
    3⤵
    - Program crash
    PID:3556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 672
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 720
    3⤵
    - Program crash
    PID:5100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 972
    3⤵
    - Program crash
    PID:1744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1404
    3⤵
    - Program crash
    PID:1144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1408
    3⤵
    - Program crash
    PID:3088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1476
    3⤵
    - Program crash
    PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1520
    3⤵
    - Program crash
    PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1524
    3⤵
    - Program crash
    PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1516
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1540
    3⤵
    - Program crash
    PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 948
    3⤵
    - Program crash
    PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3012 -ip 3012
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4548 -ip 4548
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4548 -ip 4548
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4548 -ip 4548
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4548 -ip 4548
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4548 -ip 4548
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4548 -ip 4548
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4548 -ip 4548
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4548 -ip 4548
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4548 -ip 4548
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4548 -ip 4548
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4548 -ip 4548
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4548 -ip 4548
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4548 -ip 4548
1⤵
PID:2888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4548 -ip 4548
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27adce6c27fcfb3b7ed8438777046300_NeikiAnalytics.exe

Filesize
969KB

MD5
38b453817cfd9ce61771f2b3fa1c8156

SHA1
9732db4658431d8c6f4688dae1d10647810ec070

SHA256
10ee43c993a63d719d1c6b0392e6b5b30f81da2f928c8bdfe2e108ab189ccce3

SHA512
95223d9e49c7eccbab32c66220f6b24dc731e17af0b5ddc70f9653d46c0492351c2b0e6586a71999c7bb6c0b22f05a45e2897dfce18538a74c034ffe175d17a1

Download Submit
memory/3012-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/3012-6-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4548-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4548-8-0x0000000004F90000-0x0000000005082000-memory.dmp

Filesize
968KB

Download
memory/4548-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4548-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4548-27-0x000000000B9C0000-0x000000000BA63000-memory.dmp

Filesize
652KB

Download
memory/4548-28-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing