68557a0d7550d0b92a1032bae395b16752706dbc409d046327679afd8a959f28

General

Target

5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Size

115KB
MD5

5961c69cbc93fd9108c4c1cd712d37f0
SHA1

12fffb063f5d873e815e699134402e3877a4025a
SHA256

68557a0d7550d0b92a1032bae395b16752706dbc409d046327679afd8a959f28
SHA512

30b26cba58210619c07856660f6fb96db0ece4a78725e1c317efdd3433453baa0b997e75015e4a49db4fdfcb4004b1f9a72efca028a1c608497777a79c191c87
SSDEEP

3072:HQC/yj5JO3MnOG+Hu54Fx4xE8KoN5Cfsa:wlj7cMnf+OEX1O50

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1692	MSWDM.EXE
2872	MSWDM.EXE
2528	5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE
2508	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2872	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
File opened for modification	C:\Windows\dev24CF.tmp	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
File opened for modification	C:\Windows\dev24CF.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2872	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1692	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	28
PID 3004 wrote to memory of 1692	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	28
PID 3004 wrote to memory of 1692	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	28
PID 3004 wrote to memory of 1692	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	28
PID 3004 wrote to memory of 2872	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	29
PID 3004 wrote to memory of 2872	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	29
PID 3004 wrote to memory of 2872	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	29
PID 3004 wrote to memory of 2872	3004	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	29
PID 2872 wrote to memory of 2528	2872	MSWDM.EXE	30
PID 2872 wrote to memory of 2528	2872	MSWDM.EXE	30
PID 2872 wrote to memory of 2528	2872	MSWDM.EXE	30
PID 2872 wrote to memory of 2528	2872	MSWDM.EXE	30
PID 2872 wrote to memory of 2508	2872	MSWDM.EXE	32
PID 2872 wrote to memory of 2508	2872	MSWDM.EXE	32
PID 2872 wrote to memory of 2508	2872	MSWDM.EXE	32
PID 2872 wrote to memory of 2508	2872	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1692
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev24CF.tmp!C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:2528
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev24CF.tmp!C:\Users\Admin\AppData\Local\Temp\5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE

Filesize
115KB

MD5
750e0de77299c5fac0ac896098bd656f

SHA1
13c98b4740adcabebd1b8352f8726f41872db157

SHA256
357c5808fbcfa3abb708056cff3562571f1eab200eadb83df9662eeac29bdefb

SHA512
377ce838a2e031d34cc9d0b1fc353b1de06878cfd1b01a6ff7444f8560aa7cc41a93e0df12a7ab1f15e880fcfbbc26d6a26dcdd63fb2e05f0413b89989101bc8

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a188be975f50da7944d1ca6c25704225

SHA1
88ea7c4e26a13883c3bfa4bdf198e31b9dabbce0

SHA256
a64d566dd3b6d909d66f8bdaa88d988d88377b44d8b1ef2a603aa4972a213c9a

SHA512
6aada9e74ced47386eed3b752fe8f03e1e8900f570cb9b7501be3305f64497c8657519eca06f7e965d165b4b3f84d1d753e99f90eb16b00e213d5a575bbfb536

Download Submit
C:\Windows\dev24CF.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/1692-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1692-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2508-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-24-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/3004-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads