174e980e00697c50bdb5a6253742c70757cbd678acaedb4916b0e1289a45993b

General

Target

17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Size

497KB
MD5

17f8ef36039e0f1f6c390a6b1bf70b20
SHA1

a277280486edcdb849351f736711fcc051e58df4
SHA256

174e980e00697c50bdb5a6253742c70757cbd678acaedb4916b0e1289a45993b
SHA512

b37ee3c1f74a9c8fe77a5929603716b56773a124c8fa8637ea800b0a38788afde4f87acecb4020ddcf2ae96e94bdb0f5546fa980b982ddbe1142ca19f8404e2b
SSDEEP

6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayN:+D1gL5pRTcAkS/3hzN8qE43fm78VR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3720	MSWDM.EXE
1548	MSWDM.EXE
2724	17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE
3600	MSWDM.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1380-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000a000000016fa5-3.dat	upx
behavioral2/memory/1380-9-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1548-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0007000000023256-16.dat	upx
behavioral2/memory/3600-19-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1548-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3720-23-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
File opened for modification	C:\Windows\devD542.tmp	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
File opened for modification	C:\Windows\devD542.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1548	MSWDM.EXE
1548	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3720	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	91
PID 1380 wrote to memory of 3720	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	91
PID 1380 wrote to memory of 3720	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	91
PID 1380 wrote to memory of 1548	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	92
PID 1380 wrote to memory of 1548	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	92
PID 1380 wrote to memory of 1548	1380	17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe	92
PID 1548 wrote to memory of 2724	1548	MSWDM.EXE	93
PID 1548 wrote to memory of 2724	1548	MSWDM.EXE	93
PID 1548 wrote to memory of 3600	1548	MSWDM.EXE	95
PID 1548 wrote to memory of 3600	1548	MSWDM.EXE	95
PID 1548 wrote to memory of 3600	1548	MSWDM.EXE	95

C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1380
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3720
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devD542.tmp!C:\Users\Admin\AppData\Local\Temp\17f8ef36039e0f1f6c390a6b1bf70b20_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devD542.tmp!C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3648 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\17F8EF36039E0F1F6C390A6B1BF70B20_NEIKIANALYTICS.EXE

Filesize
497KB

MD5
e57ab3d78d3c473573b4c154695ac1e9

SHA1
ca364ef42f924d431d2bf9336725baf5f3a05bc4

SHA256
b26ed7a1922282cea9d16ff1bd862d93f1058a64aea06dad513bf40e540092cc

SHA512
4876b21cdef2e2324539b1e3a3ebf3d4ffca8342610e4817472b39a621a349f291d464b9857f3d00867ab7c35fd9ef53c1abfb921efa6e9b81642cb36bba8ba0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\devD542.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1380-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1380-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3600-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3720-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads