5dab51efdb192b533e803918d4c72ee4e29c79427a0aaddc9ef89799db2b3727

General

Target

0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
Size

91KB
MD5

0ec69bffa584222d25a59a6ca7283580
SHA1

9dffdff66a61e307acb87794976ec059e03e282d
SHA256

5dab51efdb192b533e803918d4c72ee4e29c79427a0aaddc9ef89799db2b3727
SHA512

3706852eaa2d76ddd0b5b46b29fe957b7cbaa85b9c009844b06c52132ed8a0506c99cb1cd73191ad5e8c9720ce29914c2d51b7246d1623f379ca0915a4f5d870
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FWG+sdguxnSngBNpT/mzNnxPAxEAz0+/Sn:HQC/yj5JO3MnWG+Hu54Fx4xE8qn

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fakerdtsc\ImagePath = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c00660061006b006500720064007400730063002e007300790073000000	0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE

Executes dropped EXE 4 IoCs

pid	Process
3716	MSWDM.EXE
1628	MSWDM.EXE
2016	0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE
4220	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev6438.tmp	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev6438.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	MSWDM.EXE
1628	MSWDM.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2016	0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2016	0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3716	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	82
PID 2248 wrote to memory of 3716	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	82
PID 2248 wrote to memory of 3716	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	82
PID 2248 wrote to memory of 1628	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	83
PID 2248 wrote to memory of 1628	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	83
PID 2248 wrote to memory of 1628	2248	0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe	83
PID 1628 wrote to memory of 2016	1628	MSWDM.EXE	84
PID 1628 wrote to memory of 2016	1628	MSWDM.EXE	84
PID 1628 wrote to memory of 2016	1628	MSWDM.EXE	84
PID 1628 wrote to memory of 4220	1628	MSWDM.EXE	85
PID 1628 wrote to memory of 4220	1628	MSWDM.EXE	85
PID 1628 wrote to memory of 4220	1628	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3716
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6438.tmp!C:\Users\Admin\AppData\Local\Temp\0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6438.tmp!C:\Users\Admin\AppData\Local\Temp\0EC69BFFA584222D25A59A6CA7283580_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ec69bffa584222d25a59a6ca7283580_NeikiAnalytics.exe

Filesize
91KB

MD5
757a2028e30bdb0a1a6f9c3e75e05043

SHA1
27a49dab624cd4b6021262115aeea6516a23fb59

SHA256
9596726305808b3ceff6ce5c7a14ec32bdf4e723b7cab2e1ef27c4549e6f3d30

SHA512
0e43fb2ffb5c56ba05c8852b80c61afb328847ce6b3bde0c2b6cb79e8355453bb277ab3b3b3ab81fa3fac44a0a8f2c75c8572584a8fa9bbcadcd55208125ec11

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c84bc0f83dc44704d7270b58bf2a29ba

SHA1
e19f6bea1b73453ac8eae115692c0e430454109f

SHA256
1a6ba686a1457a631c648ba07ce1faf17a4c4807ccef2184c4c8d57a9136a03f

SHA512
b36272e03cf400b1dfbf75855fa9f890dd0fb1f99151c16943d2838512718b087edce592a2218a34fdefece266af0bf0ce82ffc411557673f77aaa3355db1233

Download Submit
C:\Windows\dev6438.tmp

Filesize
11KB

MD5
b5f8d0c67b41eb650ddf4cc59ce48cae

SHA1
288f7a4b88df49875f534313cb32bd974d3278dd

SHA256
a495a79d9640aa57b33850b0594b4477659fcb1aa754ce0f3867252a8966ba27

SHA512
fdaf1dc4f20893cfbd525ef27dc7f719133751df33ff17e95f9abe430f880c140e8874e8fb499e9f94fcb3505d178974e2474002afa0f7fbc8978a1e188df6d5

Download Submit
memory/1628-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1628-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2016-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2248-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2248-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3716-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4220-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads