aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad

Analysis

max time kernel
145s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe
Size

448KB
MD5

34f394fde88fcc4d9262f7b17a3b5ff0
SHA1

e9c51524bb82c8275e17404e00bc24bd4db8d095
SHA256

aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad
SHA512

5cf67a9bb9d0be748e3d118c02e8c6c1f3cd6bcef97ba6b9503abbe52779432a48dd0cc1e97209f05852c8b8d1f28d83458f128d849bddb432a2ae5d69cb125c
SSDEEP

6144:7XlPZ6ppqxjO/lSXxI7T6cPSrl53BDu0W7cyqCxSngmMBqfycuPbUl0i5cD5J6Kb:7Xl8l/N253p80npM4dl0v5Jdmo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4368	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4368	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1796	1156	WerFault.exe	79
632	4368	WerFault.exe	83
3216	4368	WerFault.exe	83
4132	4368	WerFault.exe	83
4236	4368	WerFault.exe	83
2164	4368	WerFault.exe	83
3824	4368	WerFault.exe	83

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1156	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4368	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 4368	1156	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe	83
PID 1156 wrote to memory of 4368	1156	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe	83
PID 1156 wrote to memory of 4368	1156	aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 384
  2⤵
  - Program crash
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 352
    3⤵
    - Program crash
    PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 768
    3⤵
    - Program crash
    PID:3216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 812
    3⤵
    - Program crash
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 772
    3⤵
    - Program crash
    PID:4236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 776
    3⤵
    - Program crash
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 804
    3⤵
    - Program crash
    PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1156 -ip 1156
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4368 -ip 4368
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4368 -ip 4368
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4368 -ip 4368
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4368 -ip 4368
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4368 -ip 4368
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4368 -ip 4368
1⤵
PID:3412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aa3e57a1802971f3422b3e50ec1809a5b27292a1b76f1aac64705a3b886017ad_NeikiAnalytics.exe

Filesize
448KB

MD5
d0ecaec10e2947d26b8e5982a708c1f6

SHA1
6337536a199ba2facb564048164289fcbe098a48

SHA256
669b4f2d7569e55b0d8f882511aa08d019723fbbc1e0b2cbd6f9f189b1552f03

SHA512
b3e4b7a0c77f700a04a3fd53111f0936a56b284779b2add1532efb4720f8013cdbd5cb74d41c24aae084d4cfb63c5c4b2c3087687e9d98d303ade23726b7fcdf

Download Submit
memory/1156-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-6-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4368-8-0x0000000001460000-0x000000000149C000-memory.dmp

Filesize
240KB

Download
memory/4368-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download