8cac4cf5b54913686d919787ec3adc2a353b1314636482746bb7c93ee06d1c98

General

Target

f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Size

297KB
MD5

f8b07bad7db22d0c641c54172ccc5370
SHA1

34b5f50d6ba0a5153921b33258d943ad0ecea05d
SHA256

8cac4cf5b54913686d919787ec3adc2a353b1314636482746bb7c93ee06d1c98
SHA512

5da7c49f2a5566bec247e8f9f56e6f1861d0c01c0fbfbf1132f351014faa4f43ac10b19f8423271151bed821f60485b85365c831bf474d3909264bed0f05a9cd
SSDEEP

6144:wlj7cMnC+OEXtIQqeHdA51d18T+G0QXMW30gPTB5/uwq:wlbC+NaKYE5Tf/K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
748	MSWDM.EXE
2924	MSWDM.EXE
636	F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE
2156	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
File opened for modification	C:\Windows\dev3383.tmp	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
File opened for modification	C:\Windows\dev3383.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2924	MSWDM.EXE
2924	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 748	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	83
PID 1536 wrote to memory of 748	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	83
PID 1536 wrote to memory of 748	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	83
PID 1536 wrote to memory of 2924	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	84
PID 1536 wrote to memory of 2924	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	84
PID 1536 wrote to memory of 2924	1536	f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe	84
PID 2924 wrote to memory of 636	2924	MSWDM.EXE	85
PID 2924 wrote to memory of 636	2924	MSWDM.EXE	85
PID 2924 wrote to memory of 2156	2924	MSWDM.EXE	93
PID 2924 wrote to memory of 2156	2924	MSWDM.EXE	93
PID 2924 wrote to memory of 2156	2924	MSWDM.EXE	93

C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1536
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:748
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3383.tmp!C:\Users\Admin\AppData\Local\Temp\f8b07bad7db22d0c641c54172ccc5370_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:636
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3383.tmp!C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F8B07BAD7DB22D0C641C54172CCC5370_NEIKI.EXE

Filesize
297KB

MD5
4df029bd4dcff17def25a9884c7af899

SHA1
a337d68ed65f3d41f1949b6e4e7c367f82ef34b2

SHA256
ff8b28676952d726e8042664540f1444e604fef80f887fcabd249fff7c3bfb19

SHA512
ce7dec543d33d1a440764970e5b467cfe9a21bda3adee4df4607b7efa9191d832431f67cfda579e9886ceff4454ae27782d6528782bca062fe3099833fe7cfeb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dd68dc1f2acb8d56535514be222da2e9

SHA1
f8b48112bb5bff4d77e705ce05aa0f2dcb80c904

SHA256
38137371838a2b2704b823ed0fb8d6bb1d9cca9fc7da334535942ab1d489eb09

SHA512
2ebe2ea143735b014f5fced08a95a3e64a6c54a293a818a0d39555a31ea8d940b28ce9a6937f3d4d6cd449b849d5a1e8a645603c2571260bd6996bdb050bcb8a

Download Submit
C:\Windows\dev3383.tmp

Filesize
217KB

MD5
f8a38fd27da720881c0af1ac99b8c1ad

SHA1
2ed31938119e2ebdeb0f5539c985e9965aef72d7

SHA256
b2e32b3fa44b3a9a8fdfa906627355f6f48b4821929f9bce5ded2d07894361d4

SHA512
aafa05bc5bd68687b998fe4d9a619caecc65d14f317af7a05ac0ecab7e231891e8719029245dc84eddce20bdd4c0cc6f4ffafdf8200227746b28cc6628564495

Download Submit
memory/748-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1536-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2156-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2924-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads