2755631bac7725815675db31202768d1131e03af5ccfa32a1d0ac181ec7aed66

General

Target

1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe
Size

62KB
MD5

1db15568e1f69134c8c401d0c0853bc0
SHA1

f67dc3f350c88721472324eb8feec8fe979c9500
SHA256

2755631bac7725815675db31202768d1131e03af5ccfa32a1d0ac181ec7aed66
SHA512

b7e8d16cc08e26c2d2ac72fcc3019a064e7afa5062129dd8f9d4ecc690cbcd713506c960e6915b0a9ae4e86dedc158f7772cdeafc9d2fd3a70c33030ebe393f8
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FSG+sjl:HQC/yj5JO3MnSG++l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2212	MSWDM.EXE
1744	MSWDM.EXE
2572	1DB15568E1F69134C8C401D0C0853BC0_NEIKIANALYTICS.EXE
2724	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1744	MSWDM.EXE
1744	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devFBA.tmp	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2212	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2212	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2212	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 2212	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	28
PID 2316 wrote to memory of 1744	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 1744	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 1744	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	29
PID 2316 wrote to memory of 1744	2316	1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe	29
PID 1744 wrote to memory of 2572	1744	MSWDM.EXE	30
PID 1744 wrote to memory of 2572	1744	MSWDM.EXE	30
PID 1744 wrote to memory of 2572	1744	MSWDM.EXE	30
PID 1744 wrote to memory of 2572	1744	MSWDM.EXE	30
PID 1744 wrote to memory of 2724	1744	MSWDM.EXE	31
PID 1744 wrote to memory of 2724	1744	MSWDM.EXE	31
PID 1744 wrote to memory of 2724	1744	MSWDM.EXE	31
PID 1744 wrote to memory of 2724	1744	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2212
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devFBA.tmp!C:\Users\Admin\AppData\Local\Temp\1db15568e1f69134c8c401d0c0853bc0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\1DB15568E1F69134C8C401D0C0853BC0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devFBA.tmp!C:\Users\Admin\AppData\Local\Temp\1DB15568E1F69134C8C401D0C0853BC0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
29c9387f23c164ed635ee6b4b2b243fb

SHA1
cf8c961cbedb5aa3e0a9ec9263b7aa62e2939130

SHA256
05e9a775c3e39e0ed8fc0d61f3e1da1f40aec50d945aa22b477bf13e1ab9b698

SHA512
f39ecc49d8aece2881280996c40393f813fd8929dea46e28bbfb18cb5eb8f6bfa271f2dd71ddeb5cc34d6a4ba94efcb761c0071d6fb2bc40dc0b729cdde65522

Download Submit
C:\Windows\devFBA.tmp

Filesize
14KB

MD5
7ea51103417f95f299379d9ebaa95fb3

SHA1
e27b5534d5736c0a0197b8096cb272901902028f

SHA256
4e5f92d8b5041668cdfc6eb7e045835ee6c6c82db987f06d336f068715be7c18

SHA512
131aadc639abc9c13303c42f98655b28919fba57c13d50ef4f3011f6fd80e28f81162cfb029286c07e1d0ea9831824da6db3eb68cf3162518f2b0fec643d31b1

Download Submit
memory/1744-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1744-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2212-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2212-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2316-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2724-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads