2a0f3a4b53b70b040c7d8520608a5d70dddc587278659c6a7ae446bf397e248d

General

Target

7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Size

407KB
MD5

7e7750886a91c7d64a4db821f4c85240
SHA1

8b2f18700d9a80b92a2b9f24dadc9e42d7f8b634
SHA256

2a0f3a4b53b70b040c7d8520608a5d70dddc587278659c6a7ae446bf397e248d
SHA512

fddb585c605af3d231996419fdd76f604302a785c52ee37ef876b75c122ac02c34096e1f2d597c46c6d91b19e7fa38113d9735190851a29b51a114db54633929
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKn3AmLRkgUA1nQZwFGVO4Mqg+WDj:IooZIFH5nvLRp1nQ4QLm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1864	MSWDM.EXE
2728	MSWDM.EXE
4296	7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE
1124	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
File opened for modification	C:\Windows\dev4594.tmp	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
File opened for modification	C:\Windows\dev4594.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	MSWDM.EXE
2728	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1864	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	83
PID 1048 wrote to memory of 1864	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	83
PID 1048 wrote to memory of 1864	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	83
PID 1048 wrote to memory of 2728	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	84
PID 1048 wrote to memory of 2728	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	84
PID 1048 wrote to memory of 2728	1048	7e7750886a91c7d64a4db821f4c85240_NEIKI.exe	84
PID 2728 wrote to memory of 4296	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 4296	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 4296	2728	MSWDM.EXE	85
PID 2728 wrote to memory of 1124	2728	MSWDM.EXE	93
PID 2728 wrote to memory of 1124	2728	MSWDM.EXE	93
PID 2728 wrote to memory of 1124	2728	MSWDM.EXE	93

C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1048
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1864
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4594.tmp!C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:4296
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4594.tmp!C:\Users\Admin\AppData\Local\Temp\7E7750886A91C7D64A4DB821F4C85240_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e7750886a91c7d64a4db821f4c85240_NEIKI.exe

Filesize
407KB

MD5
32b6a76f5decab0dfdd6817b3a799c12

SHA1
ae33f0b973b147b0fab1e6b6453f4fde44507e0e

SHA256
d68cf44a9da4ad62f6c7dea3feb7feabc8c0d917e53c5a8b0f5e04ba8e051b77

SHA512
93606e71b1d362c0b18f339838c948e2f3ac91e155df7600e74dd3921fcd6ddcd51220ceea87d80814de473363036546f1c9ed16c7638b6807d870ab7f4d6e33

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
d9f59be78feaced99a6fd45823449665

SHA1
4fe5c345606f8034e40f8eadf31ef7c1b3ed4e15

SHA256
111fe06fe71c12bb0bc5cb873e103d00f2fb03baeb375aad7996c4a599e39b3c

SHA512
5e6ed357d127cf39041ecdb321f0fe9b521d501da0c2c805d599e797cbcd246439b9520181aadd145b0c008cedb414d385a29afbf56b1012b4b2f8c575bbafc5

Download Submit
C:\Windows\dev4594.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/1048-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1124-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1124-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1864-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1864-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2728-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2728-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads