d2a78b05d32d37356a9b0bf8c01c470f502ce4568fa040c7a264a2c212934a4e

General

Target

923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
Size

538KB
MD5

923094ee3312de0ef97f164ea816bde0
SHA1

f85d94dd537cce44e91cc6efb9519811c9a03085
SHA256

d2a78b05d32d37356a9b0bf8c01c470f502ce4568fa040c7a264a2c212934a4e
SHA512

a96a166051344cfc25a01dc631ef32db7c90350697557c979a60c1ee0dade5dcc8d2f3fa99ca44e7ea42c8f09672650bf09c306d71df2485f3d4250a220d3e94
SSDEEP

12288:wlbL+h1gL5pRTcAkS/3hzN8qE43fm78VD:WbL+w5jcAkSYqyED

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1940	MSWDM.EXE
1268	MSWDM.EXE
3044	923094EE3312DE0EF97F164EA816BDE0_NEIKIANALYTICS.EXE
1260	Process not Found
2784	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1268	MSWDM.EXE
1212	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEEF.tmp	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEEF.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1268	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1940	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 1940	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 1940	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 1940	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	28
PID 1988 wrote to memory of 1268	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	29
PID 1988 wrote to memory of 1268	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	29
PID 1988 wrote to memory of 1268	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	29
PID 1988 wrote to memory of 1268	1988	923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe	29
PID 1268 wrote to memory of 3044	1268	MSWDM.EXE	30
PID 1268 wrote to memory of 3044	1268	MSWDM.EXE	30
PID 1268 wrote to memory of 3044	1268	MSWDM.EXE	30
PID 1268 wrote to memory of 3044	1268	MSWDM.EXE	30
PID 1268 wrote to memory of 2784	1268	MSWDM.EXE	32
PID 1268 wrote to memory of 2784	1268	MSWDM.EXE	32
PID 1268 wrote to memory of 2784	1268	MSWDM.EXE	32
PID 1268 wrote to memory of 2784	1268	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1988
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1940
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devEEF.tmp!C:\Users\Admin\AppData\Local\Temp\923094ee3312de0ef97f164ea816bde0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\923094EE3312DE0EF97F164EA816BDE0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devEEF.tmp!C:\Users\Admin\AppData\Local\Temp\923094EE3312DE0EF97F164EA816BDE0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\923094EE3312DE0EF97F164EA816BDE0_NEIKIANALYTICS.EXE

Filesize
538KB

MD5
6402df63c4dad1f72b79b224d5600156

SHA1
963c05111ce95233ccdf24163c07e8cad84124a0

SHA256
2f7efff9122d8f2ea29c5d3e1368da506d821c724dba7bc5a8c029fda34d15db

SHA512
51fafa9c81f837635b7b0be7f048700926d05e02a4c80d5dda36ce0bb1cfca5935ee1c3f32bf6d66567404f4d6c314f8ea2a1da1d5bae287b623fffe33b26160

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
cbdca767c9edc21917e56ab846f609b3

SHA1
5de65ff67fe6cf19645e225a2a92c601f5f116d6

SHA256
6145afa2e6f036a3cd727dfcbf5afee3c785cce880e9e731a2e028d825ac12df

SHA512
dd32955a29f82fabed003ecb60d84f7fbe04a5064b76f9f0802aa1fcf0ba6f90572870ccdda515d9dac2c85baeb8f0874afe6ff3b0d77dc0b15282b911e5990b

Download Submit
C:\Windows\devEEF.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1268-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-24-0x00000000002E0000-0x00000000002FB000-memory.dmp

Filesize
108KB

Download
memory/1940-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2784-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads