595ffcae3434cde9adf835c66b14e92d5c11b53095bcca7cc5aebc799727afea

General

Target

20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe
Size

383KB
MD5

20004d912731944039abb3b59924c1c0
SHA1

2021b1331474eb0493edbc278da4bdc95841b08c
SHA256

595ffcae3434cde9adf835c66b14e92d5c11b53095bcca7cc5aebc799727afea
SHA512

9c6afb74dc9d5a2991933e7694381640a579b1753da6179cfae3178db333576c14b5a47814ba06e2248ae51c80a8d86d7c44ccdd7e513e1c62162c8c2570bf58
SSDEEP

6144:wlj7cMno+UzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqCD:wlbo+8U66b5zhVymA/XSRh+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2232	MSWDM.EXE
2504	MSWDM.EXE
2672	20004D912731944039ABB3B59924C1C0_NEIKIANALYTICS.EXE
2560	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2504	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev6B5.tmp	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2504	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2232	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2232	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2232	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2232	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2504	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2504	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2504	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2504	2868	20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe	29
PID 2504 wrote to memory of 2672	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2672	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2672	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2672	2504	MSWDM.EXE	30
PID 2504 wrote to memory of 2560	2504	MSWDM.EXE	31
PID 2504 wrote to memory of 2560	2504	MSWDM.EXE	31
PID 2504 wrote to memory of 2560	2504	MSWDM.EXE	31
PID 2504 wrote to memory of 2560	2504	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2868
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2232
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6B5.tmp!C:\Users\Admin\AppData\Local\Temp\20004d912731944039abb3b59924c1c0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\20004D912731944039ABB3B59924C1C0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6B5.tmp!C:\Users\Admin\AppData\Local\Temp\20004D912731944039ABB3B59924C1C0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
55574ce5c8b1f90e95ee5452f6fac426

SHA1
f4e6c7c498421da62b6931d15269e2015a332674

SHA256
3f6ac2262c3afa4d51362ff7dcaa584d5f225eccaa5a352a09ff43b767458133

SHA512
43db564fa3a751cf1dfc95770623365638f6771eb09c3efa7e478c5610db8809700783391e7944ecc660ad288b4e4f18047a07995b6e322bc957ea510c055b62

Download Submit
C:\Windows\dev6B5.tmp

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
memory/2232-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2560-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-7-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2868-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads