32515bcb0c73551959eeb26492764c28f298bb51ce81f2a89a384c338995f4c3

General

Target

842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe
Size

91KB
MD5

842132e5e133be0bddbed73a6bafb1d0
SHA1

d15d445ab061767838836e1c7b111e7a1a8e7ada
SHA256

32515bcb0c73551959eeb26492764c28f298bb51ce81f2a89a384c338995f4c3
SHA512

cb8a99d8f4048484a4cfebc9fb23316e70bfad239344a805809ca8f840656e9afff57f5ec0541ff9fd7e9c0caa46cb4c1161138a710aa454e4b7e890a010e0bc
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FnG+sdguxnSngBNpT/mzNnxPAxEAz0+/S4:HQC/yj5JO3MnnG+Hu54Fx4xE8q4

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fakerdtsc\ImagePath = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c00660061006b006500720064007400730063002e007300790073000000	842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE

Executes dropped EXE 4 IoCs

pid	Process
1028	MSWDM.EXE
1600	MSWDM.EXE
2692	842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE
2660	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1600	MSWDM.EXE
1600	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devC40.tmp	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devC40.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1600	MSWDM.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2692	842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2692	842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1028	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 1028	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 1028	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 1028	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 1600	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 1600	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 1600	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 1600	1752	842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe	29
PID 1600 wrote to memory of 2692	1600	MSWDM.EXE	30
PID 1600 wrote to memory of 2692	1600	MSWDM.EXE	30
PID 1600 wrote to memory of 2692	1600	MSWDM.EXE	30
PID 1600 wrote to memory of 2692	1600	MSWDM.EXE	30
PID 1600 wrote to memory of 2660	1600	MSWDM.EXE	31
PID 1600 wrote to memory of 2660	1600	MSWDM.EXE	31
PID 1600 wrote to memory of 2660	1600	MSWDM.EXE	31
PID 1600 wrote to memory of 2660	1600	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1028
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devC40.tmp!C:\Users\Admin\AppData\Local\Temp\842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devC40.tmp!C:\Users\Admin\AppData\Local\Temp\842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\842132E5E133BE0BDDBED73A6BAFB1D0_NEIKIANALYTICS.EXE

Filesize
91KB

MD5
2dea0718a80afcdc796c76ebf924f00c

SHA1
1c808b5f23c3a2278f38539fc3fc939a6bba405f

SHA256
12214f397fc8ad8d95e607bf057dae93087043b46975991cbfa60c96806de943

SHA512
e63f9ab4f40bc761e79c8498986ae2dd1e337b8a9ab6daef83b7f9cc38b686183f5fde32e27786165983693cb9a378c66436d7d2cedf02aea654f410c611e026

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
2e1aa7394f8dab55d92f572f579beddb

SHA1
c96c50f41cecdeaf0a152ea7bcb6d2f9a462f123

SHA256
deef632cb1a27dfaf5149f97ed3f7495a7ee7ac4b9ef39bb20fee1f7b08d8efa

SHA512
31d97a928be35d2a758a36523682cfd4d639c4633ba3b81319950433a7006270f3fe68fbbb4ee1111510802f4b6e34626a0233a4bc74890fcebd11fd86b39e51

Download Submit
\Users\Admin\AppData\Local\Temp\842132e5e133be0bddbed73a6bafb1d0_NeikiAnalytics.exe

Filesize
11KB

MD5
b5f8d0c67b41eb650ddf4cc59ce48cae

SHA1
288f7a4b88df49875f534313cb32bd974d3278dd

SHA256
a495a79d9640aa57b33850b0594b4477659fcb1aa754ce0f3867252a8966ba27

SHA512
fdaf1dc4f20893cfbd525ef27dc7f719133751df33ff17e95f9abe430f880c140e8874e8fb499e9f94fcb3505d178974e2474002afa0f7fbc8978a1e188df6d5

Download Submit
memory/1028-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1028-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-34-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/1600-43-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1600-29-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1600-28-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1752-6-0x00000000001E0000-0x00000000001FB000-memory.dmp

Filesize
108KB

Download
memory/1752-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-8-0x00000000001E0000-0x00000000001FB000-memory.dmp

Filesize
108KB

Download
memory/1752-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2692-31-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2692-32-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads