cbf3c23c797607c5fc8e8061eb359efb71b76abb945565f4e27bc55a7c6167a4

General

Target

d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Size

81KB
MD5

d4c0b96b52b3f7a6b7d79654f79d7930
SHA1

48a3c5a0f71e8a63b41f68f13b0fd9d044dec8f5
SHA256

cbf3c23c797607c5fc8e8061eb359efb71b76abb945565f4e27bc55a7c6167a4
SHA512

cf654b0738e187ebb084839c0c22c814c6cf47c60fc2617d28f937c7914825678cd4f7c8438ace7a3eb33101e67f648cc281a0cda079484ef26940ddfba2b2c5
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FIG+seOBJlZsuHc+fBEc:HQC/yj5JO3MnIG+HOBDau8+fBd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2816	MSWDM.EXE
2992	MSWDM.EXE
2624	D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE
2708	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2992	MSWDM.EXE
2992	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF1E.tmp	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF1E.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2816	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2816	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2816	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2816	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	28
PID 2964 wrote to memory of 2992	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2992	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2992	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	29
PID 2964 wrote to memory of 2992	2964	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	29
PID 2992 wrote to memory of 2624	2992	MSWDM.EXE	30
PID 2992 wrote to memory of 2624	2992	MSWDM.EXE	30
PID 2992 wrote to memory of 2624	2992	MSWDM.EXE	30
PID 2992 wrote to memory of 2624	2992	MSWDM.EXE	30
PID 2992 wrote to memory of 2708	2992	MSWDM.EXE	32
PID 2992 wrote to memory of 2708	2992	MSWDM.EXE	32
PID 2992 wrote to memory of 2708	2992	MSWDM.EXE	32
PID 2992 wrote to memory of 2708	2992	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2816
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devF1E.tmp!C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devF1E.tmp!C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE

Filesize
81KB

MD5
7563f8cfbfd6f4f932f64e388aebe130

SHA1
8fe54a2841b6b1c592a8228b606a01576aaa1850

SHA256
b59b80e542256df91945243ff2bc42053b812cc29e439c798d8ba2f9c15a96d2

SHA512
fb39dba1c688181d53e8c574c35ba6a4f00c0e6271b9c6ff6461ed86daefa392c4314ab27fb06656f0df5f6416ca4dbd98d253c27c6a4b60e9c93feed2618662

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
01aabd294f120d0c1e06f42da055ee8e

SHA1
f7d40500b859abd70cbedaf00d481503c170d097

SHA256
828752fbe5e52d009c3f0decbb0d7c2ca76ebd6bcab20271a3578e2795273c49

SHA512
2ab12d7bed90215e3a5387e39539ac5517cecdef1236869c117d9afe58dcee03b680d279a503b738090756ea8f26b1c38c5a9229cbcbd87662be8eb8c8900192

Download Submit
C:\Windows\devF1E.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/2708-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-8-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2992-27-0x0000000000270000-0x000000000028B000-memory.dmp

Filesize
108KB

Download
memory/2992-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads