8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561

General

Target

b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Size

92KB
MD5

b0a3abc04df94a2135663a77fc15ab50
SHA1

37f00e65f5936fc8de5ff0873b2292ad31277c7f
SHA256

8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561
SHA512

409e444870c597fbf7d875d20e9582d216bfe0257fa6aa3260ead7fe7e83699419f51cd39c52000b52989762999bdd13bbea17d91717d2576769b37c06691743
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNps07QJ:HQC/yj5JO3MniG+Hu5s07QJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2684	MSWDM.EXE
2472	MSWDM.EXE
2672	B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
2500	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2472	MSWDM.EXE
2472	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev9415.tmp	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev9415.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2472	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2684	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	28
PID 2264 wrote to memory of 2684	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	28
PID 2264 wrote to memory of 2684	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	28
PID 2264 wrote to memory of 2684	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	28
PID 2264 wrote to memory of 2472	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	29
PID 2264 wrote to memory of 2472	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	29
PID 2264 wrote to memory of 2472	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	29
PID 2264 wrote to memory of 2472	2264	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	29
PID 2472 wrote to memory of 2672	2472	MSWDM.EXE	30
PID 2472 wrote to memory of 2672	2472	MSWDM.EXE	30
PID 2472 wrote to memory of 2672	2472	MSWDM.EXE	30
PID 2472 wrote to memory of 2672	2472	MSWDM.EXE	30
PID 2472 wrote to memory of 2500	2472	MSWDM.EXE	32
PID 2472 wrote to memory of 2500	2472	MSWDM.EXE	32
PID 2472 wrote to memory of 2500	2472	MSWDM.EXE	32
PID 2472 wrote to memory of 2500	2472	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2684
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9415.tmp!C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9415.tmp!C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE

Filesize
92KB

MD5
3a5fa7a9bfd9df682015b59d4e14b65b

SHA1
6a123f8fda535a0b19737015aa797960d1f2c3ad

SHA256
bfb7d1200e8d45187248f18ed2fe6ffd775bc9fb4f38a5373b6e48004daafa8b

SHA512
9f2d1b92476101d229914facbdfaf77e9bdea47ba1ccd43be5fdfd6dd42bf00caf2c07f4a9036363d4cf9fe0f80f0f747e8523e660279747eb60ad988000ea7a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a587704ff11199aa99e958a49d6bfd35

SHA1
ecd0936cf9adc9d2e6d379d68d34a340ca473da7

SHA256
d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf

SHA512
ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67

Download Submit
\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe

Filesize
12KB

MD5
897cc6ed17649490dec8e20e9dd7ffd6

SHA1
cb3a77d8dd7edf46de54545ca7b0c5b201f85917

SHA256
cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34

SHA512
b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca

Download Submit
memory/2264-10-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2264-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-6-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2264-8-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2264-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2500-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2684-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads