2a0f3a4b53b70b040c7d8520608a5d70dddc587278659c6a7ae446bf397e248d

General

Target

7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Size

407KB
MD5

7e7750886a91c7d64a4db821f4c85240
SHA1

8b2f18700d9a80b92a2b9f24dadc9e42d7f8b634
SHA256

2a0f3a4b53b70b040c7d8520608a5d70dddc587278659c6a7ae446bf397e248d
SHA512

fddb585c605af3d231996419fdd76f604302a785c52ee37ef876b75c122ac02c34096e1f2d597c46c6d91b19e7fa38113d9735190851a29b51a114db54633929
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKn3AmLRkgUA1nQZwFGVO4Mqg+WDj:IooZIFH5nvLRp1nQ4QLm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2260	MSWDM.EXE
2520	MSWDM.EXE
2888	7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE
2868	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2520	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
File opened for modification	C:\Windows\dev6FE3.tmp	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
File opened for modification	C:\Windows\dev6FE3.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2260	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	28
PID 2732 wrote to memory of 2260	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	28
PID 2732 wrote to memory of 2260	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	28
PID 2732 wrote to memory of 2260	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	28
PID 2732 wrote to memory of 2520	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	29
PID 2732 wrote to memory of 2520	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	29
PID 2732 wrote to memory of 2520	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	29
PID 2732 wrote to memory of 2520	2732	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	29
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2888	2520	MSWDM.EXE	30
PID 2520 wrote to memory of 2868	2520	MSWDM.EXE	31
PID 2520 wrote to memory of 2868	2520	MSWDM.EXE	31
PID 2520 wrote to memory of 2868	2520	MSWDM.EXE	31
PID 2520 wrote to memory of 2868	2520	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2732
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2260
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6FE3.tmp!C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6FE3.tmp!C:\Users\Admin\AppData\Local\Temp\7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE

Filesize
407KB

MD5
566be176772577e88dcc3d18fafc2a83

SHA1
b27bd6c25089de190ca40e7e79bc2d197dcf64e0

SHA256
0200a4c314b3e8d841c37446815e6537a5a58f8da4b052842fbc2b969fdf6624

SHA512
954f7d982d58a059e1fa10bea4d11cd0fd82b8d6391f4c434d7da06c14e89e54a9d3d5231800c5360c34aa66d4ce7091c74b5ad3a93e9738a500b1dd87ec505f

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
176KB

MD5
d9f59be78feaced99a6fd45823449665

SHA1
4fe5c345606f8034e40f8eadf31ef7c1b3ed4e15

SHA256
111fe06fe71c12bb0bc5cb873e103d00f2fb03baeb375aad7996c4a599e39b3c

SHA512
5e6ed357d127cf39041ecdb321f0fe9b521d501da0c2c805d599e797cbcd246439b9520181aadd145b0c008cedb414d385a29afbf56b1012b4b2f8c575bbafc5

Download Submit
C:\Windows\dev6FE3.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/2260-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2260-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2520-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2520-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2732-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2732-12-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2732-14-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2732-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2868-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2868-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads