6c7e95d20191da61dc8d7f81693a4b1d321b1de05a6559aa50e5397758f9bace

General

Target

d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Size

83KB
MD5

d5489e3013939afb7c4570c909ca23c0
SHA1

1c66a2f069faf583bd04059613b00b88f1bbe554
SHA256

6c7e95d20191da61dc8d7f81693a4b1d321b1de05a6559aa50e5397758f9bace
SHA512

da68e97977479e62b6fd6288eceeee845be7b5a0f999ee5ca26189993c08c0f4d44be614701d9a8f57ff64fab10e1546592238b870280306f3cc0f786eb29b3b
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+sSgi9lOkXYLBD7FPxR:HQC/yj5JO3MnaG+1gPkXYLBDlxR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1880	MSWDM.EXE
2908	MSWDM.EXE
2512	D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE
2760	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2908	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev7BE4.tmp	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev7BE4.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2908	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1880	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 1880	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 1880	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 1880	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 2908	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2908	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2908	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2908	2256	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	29
PID 2908 wrote to memory of 2512	2908	MSWDM.EXE	30
PID 2908 wrote to memory of 2512	2908	MSWDM.EXE	30
PID 2908 wrote to memory of 2512	2908	MSWDM.EXE	30
PID 2908 wrote to memory of 2512	2908	MSWDM.EXE	30
PID 2908 wrote to memory of 2760	2908	MSWDM.EXE	31
PID 2908 wrote to memory of 2760	2908	MSWDM.EXE	31
PID 2908 wrote to memory of 2760	2908	MSWDM.EXE	31
PID 2908 wrote to memory of 2760	2908	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1880
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev7BE4.tmp!C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2512
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev7BE4.tmp!C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE

Filesize
83KB

MD5
56a15986a1451a35246137d9e0b1d90c

SHA1
0ec08bf8c6c222716932c3f36b0fcf1f75a46541

SHA256
a13ee717ad71cfd43b25721f1da2ff4b4f46e898738d9dac7ed30515077d711f

SHA512
72143da2aa47b53b64f0df17ee00f066f0d987849edb55d97ee2bf391cb77e5b12ae7aa71de216e8fc25158ecb5a32d6c2d4e1ac549ebbabbd5dde2a7c96f05c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe

Filesize
35KB

MD5
19e25386a9c5cb66495e0d4be8869822

SHA1
a44d071ee432576f7d10917ac33fe84000c67c65

SHA256
d56174b1ba2af749549e8140f8e5bec2a1cb5a62f8e7163a0a400852f1d6b926

SHA512
2120f0a140329e3f586d4d0e81b83afb6fc4a0728baa4de7421496f4e1a5ec982edfc1e24d72a17df7108eb95e59840b7a3dc3abca9b92a95fd6869cddf5b30b

Download Submit
memory/1880-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-33-0x0000000000310000-0x000000000032B000-memory.dmp

Filesize
108KB

Download
memory/2760-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2908-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2908-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads