b12a53732e211ebd3e81a175c095a5b2c1fbc12aa8ecffcf3519d0a71bede684

General

Target

30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
Size

73KB
MD5

30278447fe4027afc1a5236aed7f4720
SHA1

622ca8ddc1f403f5a1f607699bb275cb529c0b92
SHA256

b12a53732e211ebd3e81a175c095a5b2c1fbc12aa8ecffcf3519d0a71bede684
SHA512

0c5a459f2a21d013219e4cdae22b488bcf5c0b350e3e74dcf28d17795fdeac498803ffda2ce06d82f211513e744dd934391431df03c72a93d9838c112eb48b9f
SSDEEP

1536:rxG0+a0V7JCaTYnSGMkc/bOBJlZsuHc+fBEM:rlIV7JCaMnSrfbOBDau8+fBh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2128	MSWDM.EXE
2976	MSWDM.EXE
3056	30278447FE4027AFC1A5236AED7F4720_NEIKIANALYTICS.EXE
2728	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2976	MSWDM.EXE
2976	MSWDM.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000c000000014890-5.dat	upx
behavioral1/memory/2976-27-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2904-9-0x0000000000250000-0x0000000000268000-memory.dmp	upx
behavioral1/memory/2128-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2904-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2728-34-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000b0000000153ee-30.dat	upx
behavioral1/memory/2976-37-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2128-38-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev16BC.tmp	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev16BC.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2128	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2128	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2128	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2128	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2976	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2976	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2976	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2976	2904	30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe	29
PID 2976 wrote to memory of 3056	2976	MSWDM.EXE	30
PID 2976 wrote to memory of 3056	2976	MSWDM.EXE	30
PID 2976 wrote to memory of 3056	2976	MSWDM.EXE	30
PID 2976 wrote to memory of 3056	2976	MSWDM.EXE	30
PID 2976 wrote to memory of 2728	2976	MSWDM.EXE	32
PID 2976 wrote to memory of 2728	2976	MSWDM.EXE	32
PID 2976 wrote to memory of 2728	2976	MSWDM.EXE	32
PID 2976 wrote to memory of 2728	2976	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2128
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev16BC.tmp!C:\Users\Admin\AppData\Local\Temp\30278447fe4027afc1a5236aed7f4720_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\30278447FE4027AFC1A5236AED7F4720_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3056
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev16BC.tmp!C:\Users\Admin\AppData\Local\Temp\30278447FE4027AFC1A5236AED7F4720_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30278447FE4027AFC1A5236AED7F4720_NEIKIANALYTICS.EXE

Filesize
73KB

MD5
571e93094e2ead7142674c64e56c3fe2

SHA1
01a413378302ff6d0a2aa1248aba043174de7633

SHA256
0c5141a08e63d916695e4a25052a1d6617948da721c3631c5cac898705978a0c

SHA512
973daf7e6ae3be60d451ced36e89ec7608c7a962b4ed6f9ec6a6c67c5f013e62fb501c154cc2e766e15cf966a47ba6882738c6fa476f422aa380968e34eefdd7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\dev16BC.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/2128-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2128-38-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2728-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2904-7-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2904-9-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2904-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2976-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads