c2c42da8058397fcace7c543ed0ce5153a8ae1ab81161ce76d14eae9ac475b98

General

Target

6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
Size

860KB
MD5

6f56649b5388ecc3f02fd885af83c5c0
SHA1

0221d660d80d3a1e6d78ede41caa01ce08d6107c
SHA256

c2c42da8058397fcace7c543ed0ce5153a8ae1ab81161ce76d14eae9ac475b98
SHA512

d30cb8c6bff101e98a7aa5543978bf16d4060e30329f77f2dcc6eb12580b4da771652fee90b82d1b4195b7b5ea1737ecc2fd0124dfd14a58d4969f35c205d3b3
SSDEEP

12288:ISF1ZfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXVW:NF15LOS2opPIXVW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1840	MSWDM.EXE
2012	MSWDM.EXE
2032	6F56649B5388ECC3F02FD885AF83C5C0_NEIKIANALYTICS.EXE
1184	Process not Found
2572	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1840	MSWDM.EXE
1840	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2829.tmp	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2829.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1840	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2012	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2012	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2012	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2012	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1840	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1840	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1840	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	29
PID 1948 wrote to memory of 1840	1948	6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe	29
PID 1840 wrote to memory of 2032	1840	MSWDM.EXE	30
PID 1840 wrote to memory of 2032	1840	MSWDM.EXE	30
PID 1840 wrote to memory of 2032	1840	MSWDM.EXE	30
PID 1840 wrote to memory of 2032	1840	MSWDM.EXE	30
PID 1840 wrote to memory of 2572	1840	MSWDM.EXE	31
PID 1840 wrote to memory of 2572	1840	MSWDM.EXE	31
PID 1840 wrote to memory of 2572	1840	MSWDM.EXE	31
PID 1840 wrote to memory of 2572	1840	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2012
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2829.tmp!C:\Users\Admin\AppData\Local\Temp\6f56649b5388ecc3f02fd885af83c5c0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\6F56649B5388ECC3F02FD885AF83C5C0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2829.tmp!C:\Users\Admin\AppData\Local\Temp\6F56649B5388ECC3F02FD885AF83C5C0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F56649B5388ECC3F02FD885AF83C5C0_NEIKIANALYTICS.EXE

Filesize
860KB

MD5
587e7758e3305347e374915de9268248

SHA1
ef0b96e5a8acacf2e999402364ab54c81eebd463

SHA256
4df5beedf903af126e2db1acbd70db93a4d6c9bab1bf2a837d137c4cdd0cfccd

SHA512
08125cee18ac5eefa41bb69eccfd7a98e74a633f6437153ddf08977315d0a442c86fd6d18e8056ac6c4c4fd6571891e0db5342301b9dd8201a22943aab56cca7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
8a351d3a4fdac918dccdbcb21c60b59c

SHA1
bdf5b7d41c4d62fbb23f71e9d7f7a4b9d7c4815a

SHA256
7c5d7b0369ef97f79d2a0492f2fc9f1e784f3f3317bd375c03bf0bf071673c95

SHA512
761a6aa05f6cf9892b839069eb298a5d3eec0e2e9dc0b287f05c38c984c388b7ce1e4adf9f371afabf342b3b38ba8814492eab3da2421597589f88ff338f2d2a

Download Submit
C:\Windows\dev2829.tmp

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
memory/1840-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1840-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1948-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1948-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2012-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2012-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2572-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads