8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561

General

Target

b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Size

92KB
MD5

b0a3abc04df94a2135663a77fc15ab50
SHA1

37f00e65f5936fc8de5ff0873b2292ad31277c7f
SHA256

8e3eb1029eda7cb03dd2fb85f7f77c51726534032a884a386774adbef2ffe561
SHA512

409e444870c597fbf7d875d20e9582d216bfe0257fa6aa3260ead7fe7e83699419f51cd39c52000b52989762999bdd13bbea17d91717d2576769b37c06691743
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNps07QJ:HQC/yj5JO3MniG+Hu5s07QJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
632	MSWDM.EXE
4648	MSWDM.EXE
4984	B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
748	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev33F1.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev33F1.tmp	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4648	MSWDM.EXE
4648	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 632	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	83
PID 1008 wrote to memory of 632	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	83
PID 1008 wrote to memory of 632	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	83
PID 1008 wrote to memory of 4648	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	84
PID 1008 wrote to memory of 4648	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	84
PID 1008 wrote to memory of 4648	1008	b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe	84
PID 4648 wrote to memory of 4984	4648	MSWDM.EXE	85
PID 4648 wrote to memory of 4984	4648	MSWDM.EXE	85
PID 4648 wrote to memory of 4984	4648	MSWDM.EXE	85
PID 4648 wrote to memory of 748	4648	MSWDM.EXE	87
PID 4648 wrote to memory of 748	4648	MSWDM.EXE	87
PID 4648 wrote to memory of 748	4648	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1008
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:632
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev33F1.tmp!C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4984
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev33F1.tmp!C:\Users\Admin\AppData\Local\Temp\B0A3ABC04DF94A2135663A77FC15AB50_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b0a3abc04df94a2135663a77fc15ab50_NeikiAnalytics.exe

Filesize
92KB

MD5
9a07fc45f62687cc601d9c7a92d31bbd

SHA1
be39fc0b610d4fb1b5a4a14f0da149ef91757438

SHA256
780f1c5779b96560eff259a05b5d3c066ec6432c1b6b8d4a60316d71862e8122

SHA512
c9c57df52b71b233171df6a2d052a5c2e73036c5e045005a6c5c70499f7119c3023946af54755d6363fa707c7e1446fb569ccfb11545afe5b96ce20da5c2abae

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a587704ff11199aa99e958a49d6bfd35

SHA1
ecd0936cf9adc9d2e6d379d68d34a340ca473da7

SHA256
d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf

SHA512
ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67

Download Submit
C:\Windows\dev33F1.tmp

Filesize
12KB

MD5
897cc6ed17649490dec8e20e9dd7ffd6

SHA1
cb3a77d8dd7edf46de54545ca7b0c5b201f85917

SHA256
cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34

SHA512
b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca

Download Submit
memory/632-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/632-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1008-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1008-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4648-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4984-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads