6c7e95d20191da61dc8d7f81693a4b1d321b1de05a6559aa50e5397758f9bace

General

Target

d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Size

83KB
MD5

d5489e3013939afb7c4570c909ca23c0
SHA1

1c66a2f069faf583bd04059613b00b88f1bbe554
SHA256

6c7e95d20191da61dc8d7f81693a4b1d321b1de05a6559aa50e5397758f9bace
SHA512

da68e97977479e62b6fd6288eceeee845be7b5a0f999ee5ca26189993c08c0f4d44be614701d9a8f57ff64fab10e1546592238b870280306f3cc0f786eb29b3b
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+sSgi9lOkXYLBD7FPxR:HQC/yj5JO3MnaG+1gPkXYLBDlxR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2412	MSWDM.EXE
2056	MSWDM.EXE
5008	D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE
2128	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3345.tmp	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev3345.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	MSWDM.EXE
2056	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2412	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	83
PID 916 wrote to memory of 2412	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	83
PID 916 wrote to memory of 2412	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	83
PID 916 wrote to memory of 2056	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	84
PID 916 wrote to memory of 2056	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	84
PID 916 wrote to memory of 2056	916	d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe	84
PID 2056 wrote to memory of 5008	2056	MSWDM.EXE	85
PID 2056 wrote to memory of 5008	2056	MSWDM.EXE	85
PID 2056 wrote to memory of 2128	2056	MSWDM.EXE	86
PID 2056 wrote to memory of 2128	2056	MSWDM.EXE	86
PID 2056 wrote to memory of 2128	2056	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2412
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3345.tmp!C:\Users\Admin\AppData\Local\Temp\d5489e3013939afb7c4570c909ca23c0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3345.tmp!C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5489E3013939AFB7C4570C909CA23C0_NEIKIANALYTICS.EXE

Filesize
83KB

MD5
86e4a0888414e61308febcb42948babd

SHA1
f33028ef1f0269f8496a9151c104e2cd2fd5b735

SHA256
682076663421c846d688e3eddee8b87bee6671683bd839d798fd463f59486e3d

SHA512
11f86f974d4b4d3b1fabaddede643f0ac38cc96df582b9ce4248458abc4b1b2dc15bfed7a4ce9c015afafe529906409e1472189925b5e0e02e657b8c4dea9d81

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
C:\Windows\dev3345.tmp

Filesize
35KB

MD5
19e25386a9c5cb66495e0d4be8869822

SHA1
a44d071ee432576f7d10917ac33fe84000c67c65

SHA256
d56174b1ba2af749549e8140f8e5bec2a1cb5a62f8e7163a0a400852f1d6b926

SHA512
2120f0a140329e3f586d4d0e81b83afb6fc4a0728baa4de7421496f4e1a5ec982edfc1e24d72a17df7108eb95e59840b7a3dc3abca9b92a95fd6869cddf5b30b

Download Submit
memory/916-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2056-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2128-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads