cbf3c23c797607c5fc8e8061eb359efb71b76abb945565f4e27bc55a7c6167a4

General

Target

d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Size

81KB
MD5

d4c0b96b52b3f7a6b7d79654f79d7930
SHA1

48a3c5a0f71e8a63b41f68f13b0fd9d044dec8f5
SHA256

cbf3c23c797607c5fc8e8061eb359efb71b76abb945565f4e27bc55a7c6167a4
SHA512

cf654b0738e187ebb084839c0c22c814c6cf47c60fc2617d28f937c7914825678cd4f7c8438ace7a3eb33101e67f648cc281a0cda079484ef26940ddfba2b2c5
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FIG+seOBJlZsuHc+fBEc:HQC/yj5JO3MnIG+HOBDau8+fBd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3200	MSWDM.EXE
1060	MSWDM.EXE
2884	D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE
552	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev42F4.tmp	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev42F4.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	MSWDM.EXE
1060	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3200	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	83
PID 1852 wrote to memory of 3200	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	83
PID 1852 wrote to memory of 3200	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	83
PID 1852 wrote to memory of 1060	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	84
PID 1852 wrote to memory of 1060	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	84
PID 1852 wrote to memory of 1060	1852	d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe	84
PID 1060 wrote to memory of 2884	1060	MSWDM.EXE	85
PID 1060 wrote to memory of 2884	1060	MSWDM.EXE	85
PID 1060 wrote to memory of 2884	1060	MSWDM.EXE	85
PID 1060 wrote to memory of 552	1060	MSWDM.EXE	87
PID 1060 wrote to memory of 552	1060	MSWDM.EXE	87
PID 1060 wrote to memory of 552	1060	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1852
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3200
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev42F4.tmp!C:\Users\Admin\AppData\Local\Temp\d4c0b96b52b3f7a6b7d79654f79d7930_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev42F4.tmp!C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D4C0B96B52B3F7A6B7D79654F79D7930_NEIKIANALYTICS.EXE

Filesize
81KB

MD5
eca0bbf8db42a598da7fb798bd075d42

SHA1
e7f4992f614af9e85aafa6ecd401742d12f4f856

SHA256
06603bb38d81d6d84b11d049da5004bca006c9f697d5c1f5fba0034b31708006

SHA512
af42e4a300e8b1adb363be2fe535969a30dc9c2d65f84ac0e42ca1c68a53478297d362724e7d4649fa1ed2ae73b58471a717d42defe2796354ea60324651f933

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
01aabd294f120d0c1e06f42da055ee8e

SHA1
f7d40500b859abd70cbedaf00d481503c170d097

SHA256
828752fbe5e52d009c3f0decbb0d7c2ca76ebd6bcab20271a3578e2795273c49

SHA512
2ab12d7bed90215e3a5387e39539ac5517cecdef1236869c117d9afe58dcee03b680d279a503b738090756ea8f26b1c38c5a9229cbcbd87662be8eb8c8900192

Download Submit
C:\Windows\dev42F4.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/552-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1852-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3200-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads