80cfa753a9d78934e0a6f22d5679f465c47d39ab620b475f75688d2a7713f5aa

General

Target

20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe
Size

824KB
MD5

20ef5f1c2113bb55f2dfb781693df8f0
SHA1

5d79634b4cdf45ad20e7c7fde0f3935dc07d7c52
SHA256

80cfa753a9d78934e0a6f22d5679f465c47d39ab620b475f75688d2a7713f5aa
SHA512

585fb57d1809eb8c0554fa5be9aa53d7a1addd214864b0d47417d53b9eaf5225525e6b3282f70cc9e04189d55d695e063bbd1cc856a38bd343066fcb7b0092f2
SSDEEP

24576:phJ6kfYTOYKgYTqMi8CtBd2QHCHmTBW5Y:p2kfYTOYKHqJtb2ID

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1972	MSWDM.EXE
2104	MSWDM.EXE
2052	20EF5F1C2113BB55F2DFB781693DF8F0_NEIKIANALYTICS.EXE
1200	Process not Found
2644	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1972	MSWDM.EXE
1972	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1120.tmp	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1120.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2104	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2104	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2104	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 2104	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	28
PID 3048 wrote to memory of 1972	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	29
PID 3048 wrote to memory of 1972	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	29
PID 3048 wrote to memory of 1972	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	29
PID 3048 wrote to memory of 1972	3048	20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 2052	1972	MSWDM.EXE	30
PID 1972 wrote to memory of 2052	1972	MSWDM.EXE	30
PID 1972 wrote to memory of 2052	1972	MSWDM.EXE	30
PID 1972 wrote to memory of 2052	1972	MSWDM.EXE	30
PID 1972 wrote to memory of 2644	1972	MSWDM.EXE	31
PID 1972 wrote to memory of 2644	1972	MSWDM.EXE	31
PID 1972 wrote to memory of 2644	1972	MSWDM.EXE	31
PID 1972 wrote to memory of 2644	1972	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2104
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\20EF5F1C2113BB55F2DFB781693DF8F0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\20EF5F1C2113BB55F2DFB781693DF8F0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20EF5F1C2113BB55F2DFB781693DF8F0_NEIKIANALYTICS.EXE

Filesize
824KB

MD5
56e96a384b9f4ea9a5ffc56b62b503be

SHA1
50bab9e31e70eeb2bfc4532b8174b105dbb2f3dc

SHA256
95709857b606d1064b2f43b230935ecbb1d9963273aa673f28b50b13b6d90196

SHA512
86a37a08646ec9f31664af1131cdbf999a7954762c9d8b477346f0a6c7dab36f9cbeba43a45e707d3dea0d4d55f30c348bf4cfa7cde2e54fad91f32d8aa1f170

Download Submit
C:\Users\Admin\AppData\Local\Temp\20ef5f1c2113bb55f2dfb781693df8f0_NeikiAnalytics.exe

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
00a80651dc0f004b0dce3bc02ae463b9

SHA1
4b3f5e624f2cacdd13bbf78ef1cf00380cefe7c8

SHA256
a5878ee0bae84681db262fb6874015e75ad3947c7c6845a1d5b527876d811eff

SHA512
7ef1b4b9004626d9790fb77e173daf147d335b130dd8661abf690705823310c24e6f51d89e955a4e82be5ad81e7c4231feccfeab85139035b4876f6df1ac73d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads