81775f705209790f199d7506859ab7ef8b66757f0eda48ec2d809fe10febf5e6

General

Target

b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe
Size

81KB
MD5

b01cbecbdd7379418284737a67711940
SHA1

352e0f48d59f7e4a6bd7d1b3ec3db9547a0cbc64
SHA256

81775f705209790f199d7506859ab7ef8b66757f0eda48ec2d809fe10febf5e6
SHA512

68b3db40f5a310188cc5d9c81cf07a376ce402bbbefa14d8e3275362d9609632701df248299971e0dfd2d5a1d6c323007d8dc1b6aabbab3be195706aa2162ce9
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FfgG+seOBJlZsuHc+fBE4:HQC/yj5JO3MnfgG+HOBDau8+fBR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3884	MSWDM.EXE
2788	MSWDM.EXE
3064	B01CBECBDD7379418284737A67711940_NEIKIANALYTICS.EXE
3960	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe
File opened for modification	C:\Windows\devE1A5.tmp	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe
File opened for modification	C:\Windows\devE1A5.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	MSWDM.EXE
2788	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3884	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	89
PID 2252 wrote to memory of 3884	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	89
PID 2252 wrote to memory of 3884	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	89
PID 2252 wrote to memory of 2788	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	90
PID 2252 wrote to memory of 2788	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	90
PID 2252 wrote to memory of 2788	2252	b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe	90
PID 2788 wrote to memory of 3064	2788	MSWDM.EXE	91
PID 2788 wrote to memory of 3064	2788	MSWDM.EXE	91
PID 2788 wrote to memory of 3064	2788	MSWDM.EXE	91
PID 2788 wrote to memory of 3960	2788	MSWDM.EXE	93
PID 2788 wrote to memory of 3960	2788	MSWDM.EXE	93
PID 2788 wrote to memory of 3960	2788	MSWDM.EXE	93

C:\Users\Admin\AppData\Local\Temp\b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2252
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3884
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE1A5.tmp!C:\Users\Admin\AppData\Local\Temp\b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\B01CBECBDD7379418284737A67711940_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE1A5.tmp!C:\Users\Admin\AppData\Local\Temp\B01CBECBDD7379418284737A67711940_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b01cbecbdd7379418284737a67711940_NeikiAnalytics.exe

Filesize
81KB

MD5
d9591ab46b8404ffa3762a8ca2541b9d

SHA1
e44739e024d2bc5bf261129d8548f8c359149350

SHA256
11637e11e4e231736b6a8899ccaa96dc80345aa39a3aea6313462372a0172c15

SHA512
04b320b87846b47625d9af49bf64039cebcce05f776950117991a54da6ed6dd7c891ebd5e62cb21cc81faf2ff0c8a8cc6f2ccf6960c8a2492c5e83bc97186d67

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0899c12880bb71740aaeef618b3133b2

SHA1
9370dab734f42f59d4ae434e7644e7d7ba9507b1

SHA256
f6faa1e11b030e5640af5c5a96bce67ef928a723a003c71846ca668d58d155b1

SHA512
b5c825f19c1a27cb4eecb059ae08c339f701620f983f8db2ad76354d8e98c89ec2249855241fe16cc7384316f8d062000b060c7c8891d5b426281306dd32bac4

Download Submit
C:\Windows\devE1A5.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/2252-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3884-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3884-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3960-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads