1440803a96ffa06c71368fbc4c9b550bed0861aa91993cbeb0650e6a11d440ac

General

Target

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Size

1.7MB
MD5

8578d5b49e77b239468fc1aed1eba560
SHA1

77f7c6ff2a3fe3ae5055c28d7f6c8bd2d0e4888b
SHA256

1440803a96ffa06c71368fbc4c9b550bed0861aa91993cbeb0650e6a11d440ac
SHA512

821d84d9d6908e89c2260f01061fd61f0d46367ac255e1d10d8a7ad2c5ee8f2fe1ea3f4e10f534a335f9e90cf8c428b4b4aa2394924e966a2d369a06718cec5e
SSDEEP

24576:WIXW/8yw1ez54lI7F5SXYHjrGyzatThRiVk6jXRqbLGJv6plFh9iGa2oMYMgdsHV:h9bC4lIOcT8TjkXzJspDLoVMgdkLbN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

@AEEA1.tmp.exe8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

pid process

1344 @AEEA1.tmp.exe
2380 8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

pid	process
1344	@AEEA1.tmp.exe
2380	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

Loads dropped DLL 14 IoCs

Processes:

explorer.exeWerFault.exeWerFault.exe

pid	process
1940	explorer.exe
1940	explorer.exe
1940	explorer.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
3036	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
3036	WerFault.exe
2528	WerFault.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3036 1344 WerFault.exe @AEEA1.tmp.exe
2528 2380 WerFault.exe 8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

pid	pid_target	process	target process
3036	1344	WerFault.exe	@AEEA1.tmp.exe
2528	2380	WerFault.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exeexplorer.exe@AEEA1.tmp.exe8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe

description	pid	process	target process
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1660 wrote to memory of 1940	1660	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	explorer.exe
PID 1940 wrote to memory of 1344	1940	explorer.exe	@AEEA1.tmp.exe
PID 1940 wrote to memory of 1344	1940	explorer.exe	@AEEA1.tmp.exe
PID 1940 wrote to memory of 1344	1940	explorer.exe	@AEEA1.tmp.exe
PID 1940 wrote to memory of 1344	1940	explorer.exe	@AEEA1.tmp.exe
PID 1344 wrote to memory of 3036	1344	@AEEA1.tmp.exe	WerFault.exe
PID 1344 wrote to memory of 3036	1344	@AEEA1.tmp.exe	WerFault.exe
PID 1344 wrote to memory of 3036	1344	@AEEA1.tmp.exe	WerFault.exe
PID 1344 wrote to memory of 3036	1344	@AEEA1.tmp.exe	WerFault.exe
PID 1940 wrote to memory of 2380	1940	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1940 wrote to memory of 2380	1940	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1940 wrote to memory of 2380	1940	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 1940 wrote to memory of 2380	1940	explorer.exe	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
PID 2380 wrote to memory of 2528	2380	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	WerFault.exe
PID 2380 wrote to memory of 2528	2380	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	WerFault.exe
PID 2380 wrote to memory of 2528	2380	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	WerFault.exe
PID 2380 wrote to memory of 2528	2380	8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\@AEEA1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AEEA1.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 92
4⤵
- Loads dropped DLL
- Program crash
PID:3036

C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 188
4⤵
- Loads dropped DLL
- Program crash
PID:2528

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8578d5b49e77b239468fc1aed1eba560_NeikiAnalytics.exe
Filesize
740KB

MD5
9887f7db7dc40ada587df7c33c42ff15

SHA1
d029cba559891ee96f15e410bc3b48b03afb92a5

SHA256
c0eac92d2eae3b0e4b24c214b9ea35e3bb267cb2a3abc0cf7cad3abe1b0b4611

SHA512
f4af32b4edce3635dac85b2867bd04e67cb3d287049e1e79c88a90f31dabaac8046a18f9ab517384de8ba7025fd24a066ccebbf68220a65039fecb32e65a779f

Download Submit
\Users\Admin\AppData\Local\Temp\@AEEA1.tmp.exe
Filesize
1.0MB

MD5
46329f893d9543e37c0603b01751fa81

SHA1
4acdc019085b51f8c7860ab47a09b293c385c1d9

SHA256
d594e1da162a7cd67be562c115b3f669c84040798353db154eb9f3ee305b5dab

SHA512
3493b422291f0db77f27bf5498d966ac6ebc304d292c3fbd8f108caca501c3ba4f64ad599e89e3ac15133e3843e0a6b0be043be5a992a76c09cf4cda110e89f8

Download Submit
memory/1344-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1660-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1660-1-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1940-14-0x0000000002910000-0x000000000295C000-memory.dmp

Filesize
304KB

Download
memory/1940-13-0x0000000002910000-0x000000000295C000-memory.dmp

Filesize
304KB

Download
memory/1940-19-0x0000000002910000-0x00000000029D1000-memory.dmp

Filesize
772KB

Download
memory/2380-22-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing