67943e945742bef412c73b31c04b1af63ae6b202cf6f8ab715d7890d7f5616f6

General

Target

088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
Size

440KB
MD5

088b5e755c46d5d47643a6260ae88480
SHA1

4a430cb785f94e5d834fa4dffb2e6dc42deffa91
SHA256

67943e945742bef412c73b31c04b1af63ae6b202cf6f8ab715d7890d7f5616f6
SHA512

9ee64d8e80f7856860e552d0bc02a53b4eacf975afccaccfecb44cca070953c4b6e973cdc655b58e9516cb8d6936bcfb55618a1e5311aa43e911bbe4aec06a7b
SSDEEP

6144:wlj7cMn0+OEXVP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfw:wlb0+eahVy4a

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3012	MSWDM.EXE
4788	MSWDM.EXE
2188	088B5E755C46D5D47643A6260AE88480_NEIKIANALYTICS.EXE
2424	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3D47.tmp	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3D47.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	MSWDM.EXE
4788	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3012	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	84
PID 3844 wrote to memory of 3012	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	84
PID 3844 wrote to memory of 3012	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	84
PID 3844 wrote to memory of 4788	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	85
PID 3844 wrote to memory of 4788	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	85
PID 3844 wrote to memory of 4788	3844	088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe	85
PID 4788 wrote to memory of 2188	4788	MSWDM.EXE	86
PID 4788 wrote to memory of 2188	4788	MSWDM.EXE	86
PID 4788 wrote to memory of 2424	4788	MSWDM.EXE	87
PID 4788 wrote to memory of 2424	4788	MSWDM.EXE	87
PID 4788 wrote to memory of 2424	4788	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3844
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3012
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3D47.tmp!C:\Users\Admin\AppData\Local\Temp\088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\088B5E755C46D5D47643A6260AE88480_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2188
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3D47.tmp!C:\Users\Admin\AppData\Local\Temp\088B5E755C46D5D47643A6260AE88480_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe

Filesize
440KB

MD5
e70240bb24be9498011df743b21a8361

SHA1
04d868f111d90a6eb9a2ba28fb23030756a4faf2

SHA256
5eb4fecdd89ba1da9f2ea522266a683aa8a5835d60b051b969d3d7a7c39078e6

SHA512
cc99133f1531b7b85129c86c69a4415214dfdc23ad474408c3094755d39e13d7bb859014938828cdb93cf0f07e4968a2358eb2b7067a9673d3fd5d3474611ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\088b5e755c46d5d47643a6260ae88480_NeikiAnalytics.exe

Filesize
440KB

MD5
2aaa0a25b3b9097ef7ab566bfda8807b

SHA1
efb9791ea32666fb28ab4f0a1222ea30696a3f55

SHA256
693139bf5ea3b1bbb5bbed3584cbf051126f90a3386c786f5d1b4bde358e0527

SHA512
eab724e91d3596e51ea4b84a6c3bce607ce52672b8795b57b31aedbbc41c0ee7c72a83baa838cdd12bc04acc1570fccf4d0c332d9cc82c27e355e0a42c1b56c9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
309bae57abb1b4278be71b8ebd33a6ac

SHA1
f8a54e33b95edf528d59300b48a780dfcc321fed

SHA256
2cec5fae1653a90f0a63fb4377281e889adace7216fc20a35f47db4d08445a98

SHA512
90f0f0d724673dd1f264ac7de8d7ebda28a33582ca3866082b4a56976c5240da36e95074092693cc44113bbd7e4b114e68d9d199adb4cdbf63b2a559fe42d7cf

Download Submit
C:\Windows\dev3D47.tmp

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
memory/2424-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3844-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3844-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4788-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads