e2b52234a77e2f39c45ee7deb47499d31b3b4da9ff5e2c4da09174cfcfc97fb8

General

Target

bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
Size

115KB
MD5

bae71e59150bb23d2a996f9911e7ebb0
SHA1

d209c3d8a5419e8ad944726d12f06ddd6d181896
SHA256

e2b52234a77e2f39c45ee7deb47499d31b3b4da9ff5e2c4da09174cfcfc97fb8
SHA512

ae2a5d5c0b85a464a276ca564087d41ab826d066999f007efae92d0515122382a1051c4808785112898e846364db90abae97cea1377ff080cd6b369e42f3d9e6
SSDEEP

3072:HQC/yj5JO3MnEG+Hu54Fx4xE8N5Lxxu6IfoJ:wlj7cMnl+OEX+I6J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4728	MSWDM.EXE
3016	MSWDM.EXE
2136	BAE71E59150BB23D2A996F9911E7EBB0_NEIKIANALYTICS.EXE
3576	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4C0D.tmp	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4C0D.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	MSWDM.EXE
3016	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4728	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	82
PID 4480 wrote to memory of 4728	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	82
PID 4480 wrote to memory of 4728	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	82
PID 4480 wrote to memory of 3016	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	83
PID 4480 wrote to memory of 3016	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	83
PID 4480 wrote to memory of 3016	4480	bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe	83
PID 3016 wrote to memory of 2136	3016	MSWDM.EXE	84
PID 3016 wrote to memory of 2136	3016	MSWDM.EXE	84
PID 3016 wrote to memory of 3576	3016	MSWDM.EXE	86
PID 3016 wrote to memory of 3576	3016	MSWDM.EXE	86
PID 3016 wrote to memory of 3576	3016	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4480
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4728
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4C0D.tmp!C:\Users\Admin\AppData\Local\Temp\bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\BAE71E59150BB23D2A996F9911E7EBB0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4C0D.tmp!C:\Users\Admin\AppData\Local\Temp\BAE71E59150BB23D2A996F9911E7EBB0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bae71e59150bb23d2a996f9911e7ebb0_NeikiAnalytics.exe

Filesize
115KB

MD5
e8293a24797b8613a96a3d6260b0e363

SHA1
7409eb5d640ae274762f7e1d550f696dfef82777

SHA256
ae7df5c67d69bc0fdfbeb4495c60d91578aeff81a8aec211351058682a2934e8

SHA512
64fdc7682093d37bc3321f9d94c026f0cc086585cbb2b127431bda6c07cb1fade14c4e52961717032279c174bda816b532b94bbb3b3e32eb37dde6888d94699c

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
84f71022ebc5a46c478395d37f05130e

SHA1
fd0750764a52487fcf79730e1437a41c100c8ea1

SHA256
84ac817481587ff062220c5b8fc23501d3192e3dec6c265e0dc7f9f78a7396e5

SHA512
8c5818749619daa759b6cec7226609ae5fe3d2d8bd50c82b919a2eca400156c21a9e4c4b9cc10b1da8117aeb73cdb96538ae47644ff636cf98c6c7e5dcd351c3

Download Submit
C:\Windows\dev4C0D.tmp

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
memory/3016-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3016-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3576-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4480-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4480-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4728-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads