0610018068d30b4c6939595b98d86e8ffee725d3bc04f45f63925a24dc55d1cf

General

Target

bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe
Size

2.2MB
MD5

bd0b5bee411272eaf19052027d6e8e10
SHA1

cca4542c9e2f0c9e63575a3d2f57e70128ea5b02
SHA256

0610018068d30b4c6939595b98d86e8ffee725d3bc04f45f63925a24dc55d1cf
SHA512

dbc520d0c399e3178ff9b8ce783ada191efbb11cdd07f9a6a3ebfd8c5f54e0609e7afa3a27228fb7ae855fd976a7aaed83b7904dba72bc684a8f792d575580c7
SSDEEP

49152:Wbi+QCbRquA/m2yL5zbfFiV+XenmE3/zO:Wbi+5oq2Vjnmt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4976	MSWDM.EXE
2784	MSWDM.EXE
4028	BD0B5BEE411272EAF19052027D6E8E10_NEIKIANALYTICS.EXE
2284	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev31D9.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev31D9.tmp	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	MSWDM.EXE
2784	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4976	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	90
PID 5076 wrote to memory of 4976	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	90
PID 5076 wrote to memory of 4976	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	90
PID 5076 wrote to memory of 2784	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	91
PID 5076 wrote to memory of 2784	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	91
PID 5076 wrote to memory of 2784	5076	bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe	91
PID 2784 wrote to memory of 4028	2784	MSWDM.EXE	92
PID 2784 wrote to memory of 4028	2784	MSWDM.EXE	92
PID 2784 wrote to memory of 2284	2784	MSWDM.EXE	94
PID 2784 wrote to memory of 2284	2784	MSWDM.EXE	94
PID 2784 wrote to memory of 2284	2784	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5076
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4976
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev31D9.tmp!C:\Users\Admin\AppData\Local\Temp\bd0b5bee411272eaf19052027d6e8e10_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\BD0B5BEE411272EAF19052027D6E8E10_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev31D9.tmp!C:\Users\Admin\AppData\Local\Temp\BD0B5BEE411272EAF19052027D6E8E10_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD0B5BEE411272EAF19052027D6E8E10_NEIKIANALYTICS.EXE

Filesize
2.2MB

MD5
277f9d8ce277acafa51dee60a92d3521

SHA1
25238432c21fe47dff6480acac6ac04419a963f1

SHA256
cc6b2aedaa5144a2cb2c7cadfaa64c7b98c4996595bb442108f08e4e11d5d7c1

SHA512
6245f450f948f3e5b86551e7e8048d852b0f7d2f0cc719b9ce659f34ae7abaf80cfe9b0925c4b4039df1e67714f768f056a706c544508cf2cb2c7d1a04edf6a4

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
6512006ea1455d24e059c752966bc4d9

SHA1
440990a30fbae1006bdc466053d69b0c7361b742

SHA256
14031b9e56d82e81936ef09891baf9a5e24980a1c6e97df01dbb2531b473530b

SHA512
971770e4abd12f070dc308d807a88b112c65b077b2cb3c38716f71ec40dde63f90da82f340f7d65717d7e59d81c0cb03cdf1a2f285fca9e867fc7b5b53da159f

Download Submit
C:\Windows\dev31D9.tmp

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
memory/2284-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4976-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5076-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5076-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads