0acba7934b1548a4827840d19b242957603c37cc3206df8c1f6686212ac3769c

General

Target

8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
Size

648KB
MD5

8410ada1d1be6f8fe3dbf1f403abf760
SHA1

e47cf3ad0ba431f4a5e5cb932ce8e7a31d72cdaf
SHA256

0acba7934b1548a4827840d19b242957603c37cc3206df8c1f6686212ac3769c
SHA512

8566740ac7543be0ea01b10fe5e6ea7da92d4b0d352d1472d030935184bde23564372c7ec2706812ce678d1dfc34619c45d4428ddceaef57967c0a85fb688f4c
SSDEEP

12288:wlbo+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5w:Wbo+bYTqMi8CtBd2QHCHmTBW5w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1860	MSWDM.EXE
2576	MSWDM.EXE
2704	8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE
1192	Process not Found
3056	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2576	MSWDM.EXE
2576	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
File opened for modification	C:\Windows\devBE3.tmp	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
File opened for modification	C:\Windows\devBE3.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1860	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	28
PID 2084 wrote to memory of 1860	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	28
PID 2084 wrote to memory of 1860	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	28
PID 2084 wrote to memory of 1860	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	28
PID 2084 wrote to memory of 2576	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	29
PID 2084 wrote to memory of 2576	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	29
PID 2084 wrote to memory of 2576	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	29
PID 2084 wrote to memory of 2576	2084	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	29
PID 2576 wrote to memory of 2704	2576	MSWDM.EXE	30
PID 2576 wrote to memory of 2704	2576	MSWDM.EXE	30
PID 2576 wrote to memory of 2704	2576	MSWDM.EXE	30
PID 2576 wrote to memory of 2704	2576	MSWDM.EXE	30
PID 2576 wrote to memory of 3056	2576	MSWDM.EXE	31
PID 2576 wrote to memory of 3056	2576	MSWDM.EXE	31
PID 2576 wrote to memory of 3056	2576	MSWDM.EXE	31
PID 2576 wrote to memory of 3056	2576	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1860
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devBE3.tmp!C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devBE3.tmp!C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE

Filesize
648KB

MD5
4028187131722f1ec1eabbf0185f3b6b

SHA1
c3bd75f513d3f526a2898772785ab2afe447f112

SHA256
48c769b621a89ac17ff980e7ebc152506d9a37fafa76385f3bf3364aaed294f6

SHA512
04119026392773c9330b356ffc6220e0621536bab1e4c4e8d544752d66231c6118510baeeed6c0034b0f6a6b5e0947abbcb4565990eba6d4ece4bb0533f2b78d

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
d4f324176e864a4ba6c86ac00ec33851

SHA1
953a5de37833fae53d66912fa86d8adceb3dd74e

SHA256
3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b

SHA512
703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

Download Submit
C:\Windows\devBE3.tmp

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
memory/1860-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1860-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2084-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2576-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads