3fd319099dc069eace1b3f9fee0213abfb4ba2af9a8fa21d4aaceeca7b4bd941

General

Target

33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe
Size

81KB
MD5

33a69a31d3806d322295c3d8b59cbb00
SHA1

575abd31eb99400f9a4f76c433d13913eebc52bf
SHA256

3fd319099dc069eace1b3f9fee0213abfb4ba2af9a8fa21d4aaceeca7b4bd941
SHA512

b671d20cabb4c1c238a2bbcd7c9a3abe96fdaaa22ae540bc436b05f7e68e66fa74fd1695892394ad948db27e3b246d60d90d2b5243daac54308359b108fe6fd8
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FCG+seOBJlZsuHc+fBEE:HQC/yj5JO3MnCG+HOBDau8+fBF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1796	MSWDM.EXE
2184	MSWDM.EXE
1980	33A69A31D3806D322295C3D8B59CBB00_NEIKIANALYTICS.EXE
2652	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2184	MSWDM.EXE
2184	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev2194.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2194.tmp	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1796	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2184	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 2652	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2652	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2652	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2652	2184	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3000
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1796
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2194.tmp!C:\Users\Admin\AppData\Local\Temp\33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\33A69A31D3806D322295C3D8B59CBB00_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2194.tmp!C:\Users\Admin\AppData\Local\Temp\33A69A31D3806D322295C3D8B59CBB00_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33A69A31D3806D322295C3D8B59CBB00_NEIKIANALYTICS.EXE

Filesize
81KB

MD5
6b79560a0e111de32f03aeed0dfa704c

SHA1
8a8012aaf5b900a79dc7d925130cf5643fe48ed1

SHA256
88ef92618ad4f599d49268c9afc78a01206d05c54831ca385dcd66d61d7e2221

SHA512
8c321e428bec395d0b6c8b4938f5868df061d122d69a6a58b4dcc300c6ec0105caa55f81a7045035947645fabab2c733210751224a40a7ad28c5e7f10a872c6c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
e232e754f601471d0aebcb1a45529cc9

SHA1
8371dd957e9d81df57ceacd6235e77a15e511659

SHA256
2f9a865d6d559a837567f5234e5491cdbf0eefa186b9452e36414c5acd18085b

SHA512
fb9898459d2814b446ba7edd03566d6c4ff411f75854cc5d18f0f5f186a3c45a2bebc78d8b4a886bb0b3a9b917182a0aeeb64b3112eb1ec7b52bef8ea2a9ddc5

Download Submit
\Users\Admin\AppData\Local\Temp\33a69a31d3806d322295c3d8b59cbb00_NeikiAnalytics.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/1796-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1796-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-27-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2652-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3000-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads