174e980e00697c50bdb5a6253742c70757cbd678acaedb4916b0e1289a45993b

General

Target

17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Size

497KB
MD5

17f8ef36039e0f1f6c390a6b1bf70b20
SHA1

a277280486edcdb849351f736711fcc051e58df4
SHA256

174e980e00697c50bdb5a6253742c70757cbd678acaedb4916b0e1289a45993b
SHA512

b37ee3c1f74a9c8fe77a5929603716b56773a124c8fa8637ea800b0a38788afde4f87acecb4020ddcf2ae96e94bdb0f5546fa980b982ddbe1142ca19f8404e2b
SSDEEP

6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayN:+D1gL5pRTcAkS/3hzN8qE43fm78VR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2012	MSWDM.EXE
2216	MSWDM.EXE
2004	17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE
2868	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2216	MSWDM.EXE
2640	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000d000000012342-7.dat	upx
behavioral1/memory/2216-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2012-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2748-14-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000d000000014b63-26.dat	upx
behavioral1/memory/2868-30-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2216-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2012-34-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev205C.tmp	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev205C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2012	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	28
PID 2748 wrote to memory of 2012	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	28
PID 2748 wrote to memory of 2012	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	28
PID 2748 wrote to memory of 2012	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	28
PID 2748 wrote to memory of 2216	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	29
PID 2748 wrote to memory of 2216	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	29
PID 2748 wrote to memory of 2216	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	29
PID 2748 wrote to memory of 2216	2748	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2004	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2004	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2004	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2004	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2868	2216	MSWDM.EXE	32
PID 2216 wrote to memory of 2868	2216	MSWDM.EXE	32
PID 2216 wrote to memory of 2868	2216	MSWDM.EXE	32
PID 2216 wrote to memory of 2868	2216	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2748
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2012
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev205C.tmp!C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev205C.tmp!C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE

Filesize
497KB

MD5
728ee9e349a82e2f4e2b82512335289a

SHA1
e8b56b3098a7f6a43fccde7de7a76d3d5f24c227

SHA256
f3bd0a107dc34ad0331068f2c750c2b4936eaa233cc6eb4647997cfbac6f9c52

SHA512
66533dfb9d108304bb4ce42b470458cd351bd10c3636b9a3a3693d3934ecd24b57cc0af97d643bf687a20b4fd49c1a21ffdf08c7a9db4c3d7d6384384df0db6b

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\dev205C.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2012-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2012-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2216-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2216-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2748-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2748-6-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2748-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2868-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads