024ba612d7c631acbac3e62803e17353910e9ed1b296d2d734abe1de8bce0c04

General

Target

82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe
Size

6.3MB
MD5

82a9d0c1227af04a2c9410d7f9090a30
SHA1

452d7440b5d1532dcdcbf87c305495f6e1e09afb
SHA256

024ba612d7c631acbac3e62803e17353910e9ed1b296d2d734abe1de8bce0c04
SHA512

6ab1fc3b9da2251500459ec94e3dca66f2edee64dd80a449d1fd89d9bba15da3ea2b2245275e7be7f020dbf25973371dec89c0801ab632be14538292f3a059c6
SSDEEP

98304:vxr75y6vbOHCVq+vWlTdYb/X5W9KOA9IWmktVCRe8BOkpFrIMDDQTfh8xh3K:hLbgzi/pW9JA9IWmktmFpFr1+hAK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
2260	bczoneaudioeditor.exe

Loads dropped DLL 3 IoCs

pid	Process
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4348	2260	WerFault.exe	86
4760	2260	WerFault.exe	86
3320	2260	WerFault.exe	86
4216	2260	WerFault.exe	86
3748	2260	WerFault.exe	86
4132	2260	WerFault.exe	86
4228	2260	WerFault.exe	86
2732	2260	WerFault.exe	86
456	2260	WerFault.exe	86
4524	2260	WerFault.exe	86
4492	2260	WerFault.exe	86
860	2260	WerFault.exe	86
4788	2260	WerFault.exe	86
1532	2260	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
2260	bczoneaudioeditor.exe
2260	bczoneaudioeditor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 5092	4892	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe	82
PID 4892 wrote to memory of 5092	4892	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe	82
PID 4892 wrote to memory of 5092	4892	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe	82
PID 5092 wrote to memory of 3240	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	84
PID 5092 wrote to memory of 3240	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	84
PID 5092 wrote to memory of 3240	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	84
PID 5092 wrote to memory of 2260	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	86
PID 5092 wrote to memory of 2260	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	86
PID 5092 wrote to memory of 2260	5092	82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp	86

C:\Users\Admin\AppData\Local\Temp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\is-EF2H6.tmp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EF2H6.tmp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp" /SL5="$8006A,6364078,56832,C:\Users\Admin\AppData\Local\Temp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "BC_Zone_Audio_Editor_662"
    3⤵
    PID:3240
- - C:\Users\Admin\AppData\Local\BC Zone Audio Editor\bczoneaudioeditor.exe
    "C:\Users\Admin\AppData\Local\BC Zone Audio Editor\bczoneaudioeditor.exe" da5b3f372ec5c0d519be18a0484549a9
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 856
      4⤵
      Program crash
      PID:4348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 864
      4⤵
      Program crash
      PID:4760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 864
      4⤵
      Program crash
      PID:3320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1056
      4⤵
      Program crash
      PID:4216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1064
      4⤵
      Program crash
      PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1104
      4⤵
      Program crash
      PID:4132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1136
      4⤵
      Program crash
      PID:4228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1164
      4⤵
      Program crash
      PID:2732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1144
      4⤵
      Program crash
      PID:456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 980
      4⤵
      Program crash
      PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 848
      4⤵
      Program crash
      PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1092
      4⤵
      Program crash
      PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 872
      4⤵
      Program crash
      PID:4788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1324
      4⤵
      Program crash
      PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2260 -ip 2260
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2260 -ip 2260
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2260 -ip 2260
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2260 -ip 2260
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2260 -ip 2260
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2260 -ip 2260
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2260 -ip 2260
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2260 -ip 2260
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2260 -ip 2260
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2260 -ip 2260
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2260 -ip 2260
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2260 -ip 2260
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2260 -ip 2260
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BC Zone Audio Editor\bczoneaudioeditor.exe

Filesize
4.5MB

MD5
8c6ede4069ecbcbeb1624500a8bfff83

SHA1
69fcbc9afeceea91e4e36206fcb47cc3dd63af2f

SHA256
6dbcace0e099eb6f39859d7ed165e5c088b3d7643327308c43ee59af6018887f

SHA512
da2efd742ad43a6e82c0a770750587cff109d3fbd7cf6c5ee6c3ea152d582704629a99d3aa1fc7799f6c0508cfe2be0cbf819079ce5dd6a63150649632ccf852

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EF2H6.tmp\82a9d0c1227af04a2c9410d7f9090a30_NeikiAnalytics.tmp

Filesize
694KB

MD5
80bae3a697cddbc0c974ce86d80d3cd3

SHA1
bea4415062f34dfb5ac65b37439952d0cc80782c

SHA256
0e40a3d7b78e51541ce082b195fc836e76136fa73aba7ac40425a37782a86a33

SHA512
69f98082d04f374023b2dd7dcbbf95812ed8432ee9a6bda64f5d223318e8a18b3cf971f1532dfbd084e7f47160739a2cac586c81b716145b8999cc2bcdff203c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R5USC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R5USC.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/2260-76-0x0000000000400000-0x0000000000C74000-memory.dmp

Filesize
8.5MB

Download
memory/2260-75-0x0000000000400000-0x0000000000C74000-memory.dmp

Filesize
8.5MB

Download
memory/2260-74-0x0000000000400000-0x0000000000C74000-memory.dmp

Filesize
8.5MB

Download
memory/2260-79-0x0000000000400000-0x0000000000C74000-memory.dmp

Filesize
8.5MB

Download
memory/4892-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4892-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4892-77-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5092-6-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/5092-78-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing