71fa94505d5d2b6e4ab01c9d0d0884f183266363c3239779167e08e0062a3ffb

General

Target

818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
Size

115KB
MD5

818cbbab1b82d127f922374b7c3c5240
SHA1

321b0305809e8209e3792e61e9860b11ac2cbb0d
SHA256

71fa94505d5d2b6e4ab01c9d0d0884f183266363c3239779167e08e0062a3ffb
SHA512

90b6efbe71e636c1c17246c8419123b796ad76512165517c94c0d31f79abde1c657cc84eedd11d9b88ed5eccb83dbdf010822e5a08b41e4f71dd9566daf7f3da
SSDEEP

3072:HQC/yj5JO3Mn1bG+Hu54Fx4xE81bPRfw3b:wlj7cMn1i+OEXUPcb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4068	MSWDM.EXE
1556	MSWDM.EXE
1744	818CBBAB1B82D127F922374B7C3C5240_NEIKIANALYTICS.EXE
3820	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEB1.tmp	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEB1.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	MSWDM.EXE
1556	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4068	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	90
PID 4108 wrote to memory of 4068	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	90
PID 4108 wrote to memory of 4068	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	90
PID 4108 wrote to memory of 1556	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	91
PID 4108 wrote to memory of 1556	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	91
PID 4108 wrote to memory of 1556	4108	818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe	91
PID 1556 wrote to memory of 1744	1556	MSWDM.EXE	92
PID 1556 wrote to memory of 1744	1556	MSWDM.EXE	92
PID 1556 wrote to memory of 1744	1556	MSWDM.EXE	92
PID 1556 wrote to memory of 3820	1556	MSWDM.EXE	94
PID 1556 wrote to memory of 3820	1556	MSWDM.EXE	94
PID 1556 wrote to memory of 3820	1556	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4108
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4068
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devEB1.tmp!C:\Users\Admin\AppData\Local\Temp\818cbbab1b82d127f922374b7c3c5240_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\818CBBAB1B82D127F922374B7C3C5240_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devEB1.tmp!C:\Users\Admin\AppData\Local\Temp\818CBBAB1B82D127F922374B7C3C5240_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\818CBBAB1B82D127F922374B7C3C5240_NEIKIANALYTICS.EXE

Filesize
115KB

MD5
4d537c02e64f683aa8442825e8861a5f

SHA1
bb2af5c0c6382edfa9aac9e46b0903f07407e272

SHA256
0da9a40b8f15f8dcb72370256fd46b76234a8369e37411d64269559587e96124

SHA512
b591e0dc5875861ff0cd2bb97a52946579d7e4257ef97e749fa8dbacdc20b98a3e046e66722b8db20dcf4c6da203e71383789a1744329a45abed6e93ad242781

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
5d32a712107d0861eb6d7de8a1601d3b

SHA1
b6a31070a0612c4e9f5875a320081595730f8340

SHA256
93200957a90435ac511ba224d780702e6958f7f3dd7f9ce2d3b575eb03c17c35

SHA512
dfdc98031f519efc5b59611422f0dcaf8db7a25d2bae1e550b066d097cc303201d10c9a38bcc2df8e28397ad07e744968da3b5c3178f24ce144e6c8b96455f77

Download Submit
C:\Windows\devEB1.tmp

Filesize
35KB

MD5
2c66df25d30b2ea67ab2fd18f3058fd8

SHA1
ae92d355903d25afb6113c3bae6a40305e5857f9

SHA256
4f7262d45f0b95840d41511d3658281080a3a66e2d59541b5e52acf887b9b6bb

SHA512
5275be29af642a6220fc9930c3daccb0e74c8989d4d2ac573fae8465d96e501532d19130786d673f75f171ab7a2b55984673d5ccba37972ff5c3c9e3dfadac79

Download Submit
memory/1556-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3820-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads