68557a0d7550d0b92a1032bae395b16752706dbc409d046327679afd8a959f28

General

Target

5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Size

115KB
MD5

5961c69cbc93fd9108c4c1cd712d37f0
SHA1

12fffb063f5d873e815e699134402e3877a4025a
SHA256

68557a0d7550d0b92a1032bae395b16752706dbc409d046327679afd8a959f28
SHA512

30b26cba58210619c07856660f6fb96db0ece4a78725e1c317efdd3433453baa0b997e75015e4a49db4fdfcb4004b1f9a72efca028a1c608497777a79c191c87
SSDEEP

3072:HQC/yj5JO3MnOG+Hu54Fx4xE8KoN5Cfsa:wlj7cMnf+OEX1O50

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1964	MSWDM.EXE
2728	MSWDM.EXE
4272	5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE
1772	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
File opened for modification	C:\Windows\dev3875.tmp	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
File opened for modification	C:\Windows\dev3875.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	MSWDM.EXE
2728	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1964	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	83
PID 396 wrote to memory of 1964	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	83
PID 396 wrote to memory of 1964	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	83
PID 396 wrote to memory of 2728	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	84
PID 396 wrote to memory of 2728	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	84
PID 396 wrote to memory of 2728	396	5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe	84
PID 2728 wrote to memory of 4272	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 4272	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 4272	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 1772	2728	MSWDM.EXE	87
PID 2728 wrote to memory of 1772	2728	MSWDM.EXE	87
PID 2728 wrote to memory of 1772	2728	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:396
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1964
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3875.tmp!C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:4272
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3875.tmp!C:\Users\Admin\AppData\Local\Temp\5961C69CBC93FD9108C4C1CD712D37F0_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5961c69cbc93fd9108c4c1cd712d37f0_NEIKI.exe

Filesize
115KB

MD5
444972e74177c951a6604a048c55a221

SHA1
244c525ee0957587377c29ebbed6a79058c419f6

SHA256
e0944d9bf6b36953ca62ba6fb854fa1b527a3563c8691ee1c24ebb51691db00c

SHA512
b255b6ba0c85a4e550aef982f7ec65116e02e0c3bfb9ab66c45387c66ae6c300f91b85b233287fa571f2b44746159fc2aceb5202851d937c8ac9cba0d9bdb022

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a188be975f50da7944d1ca6c25704225

SHA1
88ea7c4e26a13883c3bfa4bdf198e31b9dabbce0

SHA256
a64d566dd3b6d909d66f8bdaa88d988d88377b44d8b1ef2a603aa4972a213c9a

SHA512
6aada9e74ced47386eed3b752fe8f03e1e8900f570cb9b7501be3305f64497c8657519eca06f7e965d165b4b3f84d1d753e99f90eb16b00e213d5a575bbfb536

Download Submit
C:\Windows\dev3875.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/396-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/396-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2728-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads