8cac4cf5b54913686d919787ec3adc2a353b1314636482746bb7c93ee06d1c98

General

Target

f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Size

297KB
MD5

f8b07bad7db22d0c641c54172ccc5370
SHA1

34b5f50d6ba0a5153921b33258d943ad0ecea05d
SHA256

8cac4cf5b54913686d919787ec3adc2a353b1314636482746bb7c93ee06d1c98
SHA512

5da7c49f2a5566bec247e8f9f56e6f1861d0c01c0fbfbf1132f351014faa4f43ac10b19f8423271151bed821f60485b85365c831bf474d3909264bed0f05a9cd
SSDEEP

6144:wlj7cMnC+OEXtIQqeHdA51d18T+G0QXMW30gPTB5/uwq:wlbC+NaKYE5Tf/K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
296	MSWDM.EXE
2356	MSWDM.EXE
2648	F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE
1196	Process not Found
2120	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
296	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
File opened for modification	C:\Windows\dev1FB1.tmp	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
File opened for modification	C:\Windows\dev1FB1.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
296	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2356	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	28
PID 2864 wrote to memory of 2356	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	28
PID 2864 wrote to memory of 2356	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	28
PID 2864 wrote to memory of 2356	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	28
PID 2864 wrote to memory of 296	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	29
PID 2864 wrote to memory of 296	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	29
PID 2864 wrote to memory of 296	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	29
PID 2864 wrote to memory of 296	2864	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	29
PID 296 wrote to memory of 2648	296	MSWDM.EXE	30
PID 296 wrote to memory of 2648	296	MSWDM.EXE	30
PID 296 wrote to memory of 2648	296	MSWDM.EXE	30
PID 296 wrote to memory of 2648	296	MSWDM.EXE	30
PID 296 wrote to memory of 2120	296	MSWDM.EXE	31
PID 296 wrote to memory of 2120	296	MSWDM.EXE	31
PID 296 wrote to memory of 2120	296	MSWDM.EXE	31
PID 296 wrote to memory of 2120	296	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2864
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2356
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1FB1.tmp!C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1FB1.tmp!C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE

Filesize
297KB

MD5
f2811a8849a24c041395a2ffddcf3843

SHA1
d5096a62e6299f67fd5b32389ee3ebe75cdddc1b

SHA256
75c248c71267fb95e65b5ffe2391780285adb5f2d928c71b90ac8a03fc4066b2

SHA512
7c4c248ccb692f54c85fb9060f9733d585b7440af04f49540500612be8bf14c709d310393b55c142dce58634ec5331baa9ac6f9bc199ef4a16bb860fa341ca23

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dd68dc1f2acb8d56535514be222da2e9

SHA1
f8b48112bb5bff4d77e705ce05aa0f2dcb80c904

SHA256
38137371838a2b2704b823ed0fb8d6bb1d9cca9fc7da334535942ab1d489eb09

SHA512
2ebe2ea143735b014f5fced08a95a3e64a6c54a293a818a0d39555a31ea8d940b28ce9a6937f3d4d6cd449b849d5a1e8a645603c2571260bd6996bdb050bcb8a

Download Submit
C:\Windows\dev1FB1.tmp

Filesize
217KB

MD5
f8a38fd27da720881c0af1ac99b8c1ad

SHA1
2ed31938119e2ebdeb0f5539c985e9965aef72d7

SHA256
b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4

SHA512
aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

Download Submit
memory/296-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-8-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2864-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2864-12-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads