0480734fca847ba66ac1465be0fd2298b4c0f17a291caf354eba808dc7ee3652

General

Target

65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
Size

1.2MB
MD5

65eceeba208f3d99f892d9405c518040
SHA1

acef39fc86d534067ea0ee5a9579b6547fe662a1
SHA256

0480734fca847ba66ac1465be0fd2298b4c0f17a291caf354eba808dc7ee3652
SHA512

22a8b44e8798fc4a9a2bb0284920e4e6863980d7d58692c065ba07afb614ad1619013c1b49c0e2671230b7704bc70ad3749665267df97939e8fef01131ae69b3
SSDEEP

24576:4ULPM63iFF6+LtM5sUFDMN6p0Q1lYG6EXa/ZSqa/JX3gK6BbK077Lv+f6T8f//1:9PD+HpM5siDpKQ1mG6ugpg2XB+0bGH1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1860	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Program crash 16 IoCs

pid	pid_target	Process	procid_target
1784	1832	WerFault.exe	80
100	1860	WerFault.exe	88
3060	1860	WerFault.exe	88
2056	1860	WerFault.exe	88
3316	1860	WerFault.exe	88
3668	1860	WerFault.exe	88
4380	1860	WerFault.exe	88
3936	1860	WerFault.exe	88
2524	1860	WerFault.exe	88
4596	1860	WerFault.exe	88
1896	1860	WerFault.exe	88
4888	1860	WerFault.exe	88
3628	1860	WerFault.exe	88
3204	1860	WerFault.exe	88
4820	1860	WerFault.exe	88
856	1860	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1860	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
1860	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1832	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1860	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1860	1832	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe	88
PID 1832 wrote to memory of 1860	1832	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe	88
PID 1832 wrote to memory of 1860	1832	65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 312
  2⤵
  - Program crash
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 344
    3⤵
    - Program crash
    PID:100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628
    3⤵
    - Program crash
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 656
    3⤵
    - Program crash
    PID:2056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 656
    3⤵
    - Program crash
    PID:3316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 696
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 920
    3⤵
    - Program crash
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1432
    3⤵
    - Program crash
    PID:3936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1468
    3⤵
    - Program crash
    PID:2524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1636
    3⤵
    - Program crash
    PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1464
    3⤵
    - Program crash
    PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1480
    3⤵
    - Program crash
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1692
    3⤵
    - Program crash
    PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1536
    3⤵
    - Program crash
    PID:3204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1496
    3⤵
    - Program crash
    PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 624
    3⤵
    - Program crash
    PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1860 -ip 1860
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 1860
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1860 -ip 1860
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 1860
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1860 -ip 1860
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1860 -ip 1860
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1860 -ip 1860
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1860 -ip 1860
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1860 -ip 1860
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1860 -ip 1860
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1860 -ip 1860
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1860 -ip 1860
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65eceeba208f3d99f892d9405c518040_NeikiAnalytics.exe

Filesize
1.2MB

MD5
0af4f2a386b680425b062a80b3f4d6a3

SHA1
9f462841bebf75ea451942b364a2fbaa74b2dc40

SHA256
901090afdaaaf52abe73079c52f29890be46bffd4266168b6ecfdd11ff096ad6

SHA512
02c7c387b5606cf4723f2b31f5a6c69091c9367faeef45dea248dedda050f0f7ba727407f06b89140f1acab40eb8db8414a11cb6b0001550f12bbcef22e0cc3d

Download Submit
memory/1832-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1832-6-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1860-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1860-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1860-14-0x0000000005070000-0x0000000005187000-memory.dmp

Filesize
1.1MB

Download
memory/1860-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1860-27-0x000000000B9D0000-0x000000000BA73000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing