593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4

General

Target

593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe
Size

3.0MB
MD5

711447ef8b390e33f11acc2329ee3dd0
SHA1

1489a6574eb70f05096aea2a4692563d28d1f8a5
SHA256

593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4
SHA512

4e949a4b12fb56cf6be45ebc121968d6095a7213c3a14b59aa05303cd96d26b93d8e9ad51b2e86b9b4a2393aeeac35573073fad41e3af9104a02c2cdd0b236cc
SSDEEP

49152:R4OM6V64Ks5kDiopgGgr1GblGkUmmXON7j5GLMg/gRbOEdeQBXWaJHdfT:Rj1kPDiB1GJGpmmG71GLCdXfHp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
464	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
464	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
25	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2472	3304	WerFault.exe	91
3888	464	WerFault.exe	96
3944	464	WerFault.exe	96
3000	464	WerFault.exe	96
3528	464	WerFault.exe	96
2428	464	WerFault.exe	96
3460	464	WerFault.exe	96
5084	464	WerFault.exe	96
3324	464	WerFault.exe	96
1820	464	WerFault.exe	96
4700	464	WerFault.exe	96
216	464	WerFault.exe	96
1164	464	WerFault.exe	96
4144	464	WerFault.exe	96
2124	464	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe
464	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3304	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
464	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 464	3304	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe	96
PID 3304 wrote to memory of 464	3304	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe	96
PID 3304 wrote to memory of 464	3304	593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe	96

C:\Users\Admin\AppData\Local\Temp\593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 344
  2⤵
  - Program crash
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 344
    3⤵
    - Program crash
    PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 628
    3⤵
    - Program crash
    PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 636
    3⤵
    - Program crash
    PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 668
    3⤵
    - Program crash
    PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 768
    3⤵
    - Program crash
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 920
    3⤵
    - Program crash
    PID:3460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1400
    3⤵
    - Program crash
    PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1484
    3⤵
    - Program crash
    PID:3324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1404
    3⤵
    - Program crash
    PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1652
    3⤵
    - Program crash
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1648
    3⤵
    - Program crash
    PID:216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1552
    3⤵
    - Program crash
    PID:1164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1644
    3⤵
    - Program crash
    PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 652
    3⤵
    - Program crash
    PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3304 -ip 3304
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 464 -ip 464
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 464 -ip 464
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 464 -ip 464
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 464 -ip 464
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 464 -ip 464
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 464 -ip 464
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 464 -ip 464
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 464 -ip 464
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 464 -ip 464
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 464 -ip 464
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 464 -ip 464
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 464 -ip 464
1⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 464 -ip 464
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 464 -ip 464
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\593122734026fa4263c6d30aadbf069ba8d89a86a7455596c6c5b9d9686887c4_NeikiAnalytics.exe

Filesize
3.0MB

MD5
76024bd20277673445f27e2cf3459bc0

SHA1
3505a6a99cf266675100e5716877e2f31f483280

SHA256
4399f29fa4e64017b0250d81f65b183b69009ef3433b84926fa401f6c5a09a84

SHA512
bbec7476ffd1fe8e35962c943477178042694453d65691d89f9c5c3a1c42f99c35f095b287f4109d8ebbbbd8b5a4f3a36095834b1c363d776dc1014d57264b79

Download Submit
memory/464-6-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/464-8-0x0000000004FC0000-0x00000000050D5000-memory.dmp

Filesize
1.1MB

Download
memory/464-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/464-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-27-0x000000000B9E0000-0x000000000BA83000-memory.dmp

Filesize
652KB

Download
memory/3304-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3304-7-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing