0acba7934b1548a4827840d19b242957603c37cc3206df8c1f6686212ac3769c

General

Target

8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
Size

648KB
MD5

8410ada1d1be6f8fe3dbf1f403abf760
SHA1

e47cf3ad0ba431f4a5e5cb932ce8e7a31d72cdaf
SHA256

0acba7934b1548a4827840d19b242957603c37cc3206df8c1f6686212ac3769c
SHA512

8566740ac7543be0ea01b10fe5e6ea7da92d4b0d352d1472d030935184bde23564372c7ec2706812ce678d1dfc34619c45d4428ddceaef57967c0a85fb688f4c
SSDEEP

12288:wlbo+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5w:Wbo+bYTqMi8CtBd2QHCHmTBW5w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1736	MSWDM.EXE
220	MSWDM.EXE
4364	8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE
644	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev516C.tmp	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
File opened for modification	C:\Windows\dev516C.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	MSWDM.EXE
220	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1736	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	83
PID 2260 wrote to memory of 1736	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	83
PID 2260 wrote to memory of 1736	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	83
PID 2260 wrote to memory of 220	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	84
PID 2260 wrote to memory of 220	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	84
PID 2260 wrote to memory of 220	2260	8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe	84
PID 220 wrote to memory of 4364	220	MSWDM.EXE	85
PID 220 wrote to memory of 4364	220	MSWDM.EXE	85
PID 220 wrote to memory of 644	220	MSWDM.EXE	86
PID 220 wrote to memory of 644	220	MSWDM.EXE	86
PID 220 wrote to memory of 644	220	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1736
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev516C.tmp!C:\Users\Admin\AppData\Local\Temp\8410ada1d1be6f8fe3dbf1f403abf760_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:4364
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev516C.tmp!C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8410ADA1D1BE6F8FE3DBF1F403ABF760_NEIKI.EXE

Filesize
648KB

MD5
3585fef0ee8a98043be21fd6f75895b6

SHA1
dbb9cc9dd6d8c4479eb07216f3da70785a9f0648

SHA256
1ebb9f3933765aaa5ccd6861eebba4ed7beffd72650b5f9c3a9ed02bcf236fd8

SHA512
912cc95da602456f8144d2bd79324429eed08ca141149718d973f4c87d7449d27f5c056e4b841c1af7102820951caddea547a8a19164e79d4500839e93536f09

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
d4f324176e864a4ba6c86ac00ec33851

SHA1
953a5de37833fae53d66912fa86d8adceb3dd74e

SHA256
3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b

SHA512
703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

Download Submit
C:\Windows\dev516C.tmp

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
memory/220-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/644-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/644-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2260-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2260-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads