ed152bfbe1aaef0aa3d466ca10e2b68cf098bcba34142078073e6d1c0cc89d0c

General

Target

5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Size

648KB
MD5

5a246eba9ad3ea0d0b2e2948d0b2c1d0
SHA1

b8cbef6d9abb995976af53a81bda5d49d6cd9433
SHA256

ed152bfbe1aaef0aa3d466ca10e2b68cf098bcba34142078073e6d1c0cc89d0c
SHA512

7bcbb070fb429a4e20c8b968aac43a145333b43852ff6e855efcfcb227a8a40a5b4dc5d875fc87a244f0c259eef1619a92e3de39213ace7af685d7ce18492cb2
SSDEEP

12288:wlbd+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5i:Wbd+bYTqMi8CtBd2QHCHmTBW5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4228	MSWDM.EXE
3696	MSWDM.EXE
4596	5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE
3528	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev342F.tmp	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev342F.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3696	MSWDM.EXE
3696	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 4228	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	82
PID 1772 wrote to memory of 4228	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	82
PID 1772 wrote to memory of 4228	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	82
PID 1772 wrote to memory of 3696	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	83
PID 1772 wrote to memory of 3696	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	83
PID 1772 wrote to memory of 3696	1772	5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe	83
PID 3696 wrote to memory of 4596	3696	MSWDM.EXE	84
PID 3696 wrote to memory of 4596	3696	MSWDM.EXE	84
PID 3696 wrote to memory of 3528	3696	MSWDM.EXE	89
PID 3696 wrote to memory of 3528	3696	MSWDM.EXE	89
PID 3696 wrote to memory of 3528	3696	MSWDM.EXE	89

C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1772
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4228
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev342F.tmp!C:\Users\Admin\AppData\Local\Temp\5a246eba9ad3ea0d0b2e2948d0b2c1d0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev342F.tmp!C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5A246EBA9AD3EA0D0B2E2948D0B2C1D0_NEIKIANALYTICS.EXE

Filesize
648KB

MD5
005a0424752d6a95d315b3eb2bc86cbd

SHA1
87f6e3a199d3bd27cfbef84d3604836733d12766

SHA256
486754a9cabcf5324c6fc41cd4b8dd7cd10413f791a3ecbb09f93a2a0110c6bb

SHA512
78ecd50ef625015d436f4846687fac9bba9563688b97c083427841e577afbd3b6c4e361dd89da2418db9dd7132f8e42fe98b92eee4caa79b5f04236728437bb3

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\dev342F.tmp

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
memory/1772-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3528-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4228-4-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4228-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads