a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032

General

Target

a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe
Size

969KB
MD5

e3a9624a01dc88dc9c2031ca843b5ef0
SHA1

baa9581f9eba9ae3df957d08d610076cb6e94235
SHA256

a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032
SHA512

7711842c26cbbbbc231e216504bdaa84357f7eacf045f874fbf393e2acd53cb244a478188bed1764c07491c6605bce49056952ba76d54e236bc7145f0b934945
SSDEEP

24576:fxUWT5Botq9GCJ7ybHMJFa/ZSsD0TCIOhPe6BWqLp:Jz5Ctqca5JFg3D0GIOhPe6BWep

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1708	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	pastebin.com
15	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
1920	4052	WerFault.exe	80
3224	1708	WerFault.exe	85
1364	1708	WerFault.exe	85
3728	1708	WerFault.exe	85
3160	1708	WerFault.exe	85
3132	1708	WerFault.exe	85
3228	1708	WerFault.exe	85
880	1708	WerFault.exe	85
4960	1708	WerFault.exe	85
5096	1708	WerFault.exe	85
692	1708	WerFault.exe	85
2400	1708	WerFault.exe	85
4388	1708	WerFault.exe	85
5092	1708	WerFault.exe	85
1460	1708	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe
1708	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4052	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1708	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 1708	4052	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe	85
PID 4052 wrote to memory of 1708	4052	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe	85
PID 4052 wrote to memory of 1708	4052	a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe	85

C:\Users\Admin\AppData\Local\Temp\a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 344
  2⤵
  - Program crash
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 344
    3⤵
    - Program crash
    PID:3224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 636
    3⤵
    - Program crash
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 644
    3⤵
    - Program crash
    PID:3728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 644
    3⤵
    - Program crash
    PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 720
    3⤵
    - Program crash
    PID:3132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 908
    3⤵
    - Program crash
    PID:3228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1436
    3⤵
    - Program crash
    PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1468
    3⤵
    - Program crash
    PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1492
    3⤵
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1664
    3⤵
    - Program crash
    PID:692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1652
    3⤵
    - Program crash
    PID:2400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1524
    3⤵
    - Program crash
    PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1448
    3⤵
    - Program crash
    PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 660
    3⤵
    - Program crash
    PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4052 -ip 4052
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1708 -ip 1708
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1708 -ip 1708
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1708 -ip 1708
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1708 -ip 1708
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1708 -ip 1708
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1708 -ip 1708
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1708 -ip 1708
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1708 -ip 1708
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1708 -ip 1708
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1708 -ip 1708
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1708 -ip 1708
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1708 -ip 1708
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a973003a834aa324c2e1ed598736ed9fdd5e1005d95430ce433bc66beb2e2032_NeikiAnalytics.exe

Filesize
969KB

MD5
7140f5de21b20c5e40e601ffee9cd8b2

SHA1
5afc3db5b51585f9aafb93075a02e60bdafe55c7

SHA256
e108528ee36a99595b5f2b7d0d199452bb5abba8b4d6b49b94333405478d3dbf

SHA512
186b379a4cd72e1437e7efed442fd7951ad2539b4eaa5cc23b5e03bdf330afe033d428a6e045696de442b71cfceb0a6f36408caf602d397a89e2b9707a59b804

Download Submit
memory/1708-6-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1708-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1708-14-0x0000000004FF0000-0x00000000050E2000-memory.dmp

Filesize
968KB

Download
memory/1708-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-27-0x000000000B7D0000-0x000000000B873000-memory.dmp

Filesize
652KB

Download
memory/1708-28-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4052-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/4052-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing