f2a71d9eea234362e0bfb4afe389932bc5c0645e914b4127212447d7b088a8f9

General

Target

089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe
Size

82KB
MD5

089a8047f26f1f4e6021c87644bce5c0
SHA1

eee6fccae386c3f2ec141d08ef25b9c5ab000225
SHA256

f2a71d9eea234362e0bfb4afe389932bc5c0645e914b4127212447d7b088a8f9
SHA512

3e9a7a96af7968a88e3918874c5a29599e75bcf0d5e408a223b637f65a0d12978b525cd472f62e1ce29a8a24bf5966384a66457d3e364ce8168151adfc22efad
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+ss0Ao/VZl8WCfsEk:HQC/yj5JO3MnaG+joN5Cfs5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3088	MSWDM.EXE
508	MSWDM.EXE
2576	089A8047F26F1F4E6021C87644BCE5C0_NEIKIANALYTICS.EXE
4092	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3CEA.tmp	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3CEA.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
508	MSWDM.EXE
508	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3088	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 3088	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 3088	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	82
PID 4364 wrote to memory of 508	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	83
PID 4364 wrote to memory of 508	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	83
PID 4364 wrote to memory of 508	4364	089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe	83
PID 508 wrote to memory of 2576	508	MSWDM.EXE	84
PID 508 wrote to memory of 2576	508	MSWDM.EXE	84
PID 508 wrote to memory of 2576	508	MSWDM.EXE	84
PID 508 wrote to memory of 4092	508	MSWDM.EXE	86
PID 508 wrote to memory of 4092	508	MSWDM.EXE	86
PID 508 wrote to memory of 4092	508	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4364
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3088
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3CEA.tmp!C:\Users\Admin\AppData\Local\Temp\089a8047f26f1f4e6021c87644bce5c0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\089A8047F26F1F4E6021C87644BCE5C0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3CEA.tmp!C:\Users\Admin\AppData\Local\Temp\089A8047F26F1F4E6021C87644BCE5C0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\089A8047F26F1F4E6021C87644BCE5C0_NEIKIANALYTICS.EXE

Filesize
82KB

MD5
34e029fdac39295402bb4c40dee3994a

SHA1
011aea72e409e8dfbd9e3b7d24e261695447bec6

SHA256
dccf0cae2562e56f72bd7ca0d124499fbc866c3a28c52de52d57fab63f187aa2

SHA512
077835eacc5e2971ec264edee848a52fa252dbf35b582da487a3c76f91e3b6d36b89f35debc34f9a369e59bc500e2ff83d5f71f82cd5e4fc561cca99a2be78a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
C:\Windows\dev3CEA.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/508-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3088-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4092-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4364-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads