d7032e4b677bfb30e7d009ceb3559dc6f232301fb352ac79c19cd066f0578252

General

Target

17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe
Size

2.0MB
MD5

17e66a4ceb789e7ae832d683f419fcc0
SHA1

29edfe6d77290533af99e0ae6f1757bf4bb62a1b
SHA256

d7032e4b677bfb30e7d009ceb3559dc6f232301fb352ac79c19cd066f0578252
SHA512

62f299207bbb77a61825deaf1e93fe092d8c1524da8305353b4711fd7808d23c300458e55a1d2e074228947b129b74f7f0c42df88c4a24437f053bb4ed93a395
SSDEEP

49152:MtscS4neHbyfYTOYKPu/gEjiEO5ItD8LnHFLHkJEM:MttS4neHvZjiEO5IhADw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2388	MSWDM.EXE
2052	MSWDM.EXE
2340	17E66A4CEB789E7AE832D683F419FCC0_NEIKI.EXE
2792	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2388	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev228E.tmp	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe
File created	C:\WINDOWS\MSWDM.EXE	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2388	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2052	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	28
PID 1452 wrote to memory of 2052	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	28
PID 1452 wrote to memory of 2052	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	28
PID 1452 wrote to memory of 2052	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	28
PID 1452 wrote to memory of 2388	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	29
PID 1452 wrote to memory of 2388	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	29
PID 1452 wrote to memory of 2388	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	29
PID 1452 wrote to memory of 2388	1452	17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe	29
PID 2388 wrote to memory of 2340	2388	MSWDM.EXE	30
PID 2388 wrote to memory of 2340	2388	MSWDM.EXE	30
PID 2388 wrote to memory of 2340	2388	MSWDM.EXE	30
PID 2388 wrote to memory of 2340	2388	MSWDM.EXE	30
PID 2388 wrote to memory of 2792	2388	MSWDM.EXE	31
PID 2388 wrote to memory of 2792	2388	MSWDM.EXE	31
PID 2388 wrote to memory of 2792	2388	MSWDM.EXE	31
PID 2388 wrote to memory of 2792	2388	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1452
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2052
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev228E.tmp!C:\Users\Admin\AppData\Local\Temp\17e66a4ceb789e7ae832d683f419fcc0_NEIKI.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\17E66A4CEB789E7AE832D683F419FCC0_NEIKI.EXE
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev228E.tmp!C:\Users\Admin\AppData\Local\Temp\17E66A4CEB789E7AE832D683F419FCC0_NEIKI.EXE!
    3⤵
    - Executes dropped EXE
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
a6d525906bdb2d9885426f32dceac582

SHA1
f6899ddcfe03813625d4dff2bcb4b072a3903286

SHA256
a40d1971c0916bbc7b7bf2359022d60bb45f61e5d78c305fc2910a07fd66d8d4

SHA512
3727cb264261817c2bc8735335b1254a14b8a97bb862822052d669966af3ca6a89d01a3c242682d2d19af314f24798f921070dacd3f9ec6cef0c6d817593d5a7

Download Submit
C:\Windows\dev228E.tmp

Filesize
424KB

MD5
29e177c7bb7343f365f12ad9a8af4c48

SHA1
116569c0e97853f01a2bd1c2c8b5a9c0c8e1c6b3

SHA256
197fc8bbd50333cde901ca625937407b6c11a393d019dfe56fcee17719f1053c

SHA512
635777358e113ca2abcd2a301d50cb8dacfd48d1055dee6060fe2b38b3106e172ce828169385762936a23782ee6d5e6b10b607183576de4dbea1e3c20ec802f3

Download Submit
memory/1452-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1452-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2052-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2792-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads