ed152bfbe1aaef0aa3d466ca10e2b68cf098bcba34142078073e6d1c0cc89d0c

General

Target

5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Size

648KB
MD5

5a246eba9ad3ea0d0b2e2948d0b2c1d0
SHA1

b8cbef6d9abb995976af53a81bda5d49d6cd9433
SHA256

ed152bfbe1aaef0aa3d466ca10e2b68cf098bcba34142078073e6d1c0cc89d0c
SHA512

7bcbb070fb429a4e20c8b968aac43a145333b43852ff6e855efcfcb227a8a40a5b4dc5d875fc87a244f0c259eef1619a92e3de39213ace7af685d7ce18492cb2
SSDEEP

12288:wlbd+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5i:Wbd+bYTqMi8CtBd2QHCHmTBW5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
316	MSWDM.EXE
1836	MSWDM.EXE
2188	5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE
1200	Process not Found
2672	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1836	MSWDM.EXE
1836	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1F63.tmp	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1F63.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1836	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 316	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 316	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 316	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 316	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	28
PID 2428 wrote to memory of 1836	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	29
PID 2428 wrote to memory of 1836	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	29
PID 2428 wrote to memory of 1836	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	29
PID 2428 wrote to memory of 1836	2428	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	29
PID 1836 wrote to memory of 2188	1836	MSWDM.EXE	30
PID 1836 wrote to memory of 2188	1836	MSWDM.EXE	30
PID 1836 wrote to memory of 2188	1836	MSWDM.EXE	30
PID 1836 wrote to memory of 2188	1836	MSWDM.EXE	30
PID 1836 wrote to memory of 2672	1836	MSWDM.EXE	31
PID 1836 wrote to memory of 2672	1836	MSWDM.EXE	31
PID 1836 wrote to memory of 2672	1836	MSWDM.EXE	31
PID 1836 wrote to memory of 2672	1836	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2428
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:316
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1F63.tmp!C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2188
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1F63.tmp!C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE

Filesize
648KB

MD5
9ae711189004dcc3d1b2dd1fa6929e34

SHA1
59bbd93e0fbf8caea8914dbfdebb5a2fdd954d4e

SHA256
2d8050fa644acf86b83c4d94be79ce84429c82d15da5b7579c9581eafdf9c92a

SHA512
1b429845c399bae67e2aaf7bcc738c559af9949ad414e5ff9203e05f38595bc4333e7372dbb4bf13f0be4faa32d510fdd597d4cbe6c419f9db50a2e4f30149e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
memory/316-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/316-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1836-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-7-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2428-6-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2428-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads