00397eda698f19f1f8566e81f36e0c837a7547cc3678c361cb3991b421e2d391

Analysis

max time kernel
14s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe
Size

270KB
MD5

b1c449a492d87f8aca7434f40bb24a50
SHA1

61134e82c109e9a428ab1ebdddea3ed2690f12c5
SHA256

00397eda698f19f1f8566e81f36e0c837a7547cc3678c361cb3991b421e2d391
SHA512

2c68ce3bb584370464f6690ec8873a99190aad85971d99d33853654dcc9cedd39e1685b0190ece255fea3b352135497363490cc39eb29fba592fdeb513be61f3
SSDEEP

3072:WcX93xwq19gL2SjGojCJa7Mduo2f5ADt4STBfsY5vXWqvuHcYnLzqP2oaNpdY:WcNhJgX9zxo2f57STB0YRX8n6aJY

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2272	MSWDM.EXE
2504	MSWDM.EXE
2532	B1C449A492D87F8ACA7434F40BB24A50_NEIKIANALYTICS.EXE

Loads dropped DLL 1 IoCs

pid	Process
2504	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev8CD5.tmp	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2504	MSWDM.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 2272	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2272	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2272	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2272	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	28
PID 1440 wrote to memory of 2504	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	29
PID 1440 wrote to memory of 2504	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	29
PID 1440 wrote to memory of 2504	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	29
PID 1440 wrote to memory of 2504	1440	b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe	29
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2532	2504	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1440
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2272
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8CD5.tmp!C:\Users\Admin\AppData\Local\Temp\b1c449a492d87f8aca7434f40bb24a50_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\B1C449A492D87F8ACA7434F40BB24A50_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSWDM.EXE

Filesize
256KB

MD5
aeee41891491d1b8957b9d25ae74bc43

SHA1
a5c0519cc5918b308d49cf826756acf87a8d819c

SHA256
239059dba8f44cab60069de742cd35c06f29de738c509b3d0e4bf881859221b6

SHA512
f29d985c9730c8320200648a275ea3e96497e95001c974cbdad2bae90c3416811a44e8eb4d65ab6142808b4db80e98983199ddbb5156cd7e5eccc7639bc982e4

Download Submit
C:\Windows\dev8CD5.tmp

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit