baeaa2b13e7a0cfcda56f53fb323d2af2285c391cc6ed644202d8a682438f645

General

Target

d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe
Size

81KB
MD5

d91e21ed3e09a78fdff9e435dc884310
SHA1

7e8e57e41c285ce32f42ebc888e430ae98fb796c
SHA256

baeaa2b13e7a0cfcda56f53fb323d2af2285c391cc6ed644202d8a682438f645
SHA512

1fb6961350d82bb7958104267590840749af2e5eb06cf5f388ffb3503e550b28740d8dffa4b97f772e2b0df900b70c7237d7eb98303567013b3d3610c3160f53
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FwgG+seOBJlZsuHc+fBE0:HQC/yj5JO3MnwgG+HOBDau8+fBN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1456	MSWDM.EXE
2740	MSWDM.EXE
2588	D91E21ED3E09A78FDFF9E435DC884310_NEIKIANALYTICS.EXE
3068	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1456	MSWDM.EXE
1456	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev16EA.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev16EA.tmp	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1456	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2740	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2740	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2740	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 2740	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 1456	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	29
PID 2356 wrote to memory of 1456	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	29
PID 2356 wrote to memory of 1456	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	29
PID 2356 wrote to memory of 1456	2356	d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe	29
PID 1456 wrote to memory of 2588	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 2588	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 2588	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 2588	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 3068	1456	MSWDM.EXE	32
PID 1456 wrote to memory of 3068	1456	MSWDM.EXE	32
PID 1456 wrote to memory of 3068	1456	MSWDM.EXE	32
PID 1456 wrote to memory of 3068	1456	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2740
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev16EA.tmp!C:\Users\Admin\AppData\Local\Temp\d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\D91E21ED3E09A78FDFF9E435DC884310_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev16EA.tmp!C:\Users\Admin\AppData\Local\Temp\D91E21ED3E09A78FDFF9E435DC884310_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D91E21ED3E09A78FDFF9E435DC884310_NEIKIANALYTICS.EXE

Filesize
81KB

MD5
d10046e5c28993d722c2b5d2f1f8a0be

SHA1
2170e751cbf7ceeb46fb29c5de80696928616016

SHA256
7778906555706f96e7eaf236796f579baa0ef4fda57b45e2ac43444cd8f55413

SHA512
3c01c06f94c49c286ea364f004c8c2d79ae4c160faefe07ff61dae08bf439037d82abc53e29752606f6354e71a2c9f91248a1756c6ae8557fdad9e689c2de825

Download Submit
C:\Users\Admin\AppData\Local\Temp\d91e21ed3e09a78fdff9e435dc884310_NeikiAnalytics.exe

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
17b789e1d1c2ac8883a68e3fdf6e06b1

SHA1
f04386e2facad18e7412954d63079ea4a794457b

SHA256
a1bc39e4bbc1a47b5678b2eefe3611bc61dfcb2b93025f8352123cce55a3bd69

SHA512
01cb25a97e31da8947669536251215c1df9b8001d774269b17b68244a5516a452e8e540d0c6ea13d58d5fe8833fa7be7007a75d51659bbdb41dc7f3c90141f81

Download Submit
memory/1456-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1456-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2356-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads