227eafc1379561f2bbabacf94a0861f749e6274d78ddb92f52aaf6eea3da512f

General

Target

9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
Size

212KB
MD5

9e89ff2aa39f7488a3b060c7c8570d10
SHA1

e80d3c8688b7a0db16f938831b42f1b51f60be40
SHA256

227eafc1379561f2bbabacf94a0861f749e6274d78ddb92f52aaf6eea3da512f
SHA512

8718c49ca46b20cd446c4f2da38d709fa2ac79721275cd6052ddfffd07948902e263ae6ed9a70004911a612298f2ce6754ec0f28e7157fbf1a6314bce5148fd9
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKn4AYrBkfkT5xHzR:IooZIFH5n8aQt9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2692	MSWDM.EXE
3792	MSWDM.EXE
4772	9E89FF2AA39F7488A3B060C7C8570D10_NEIKIANALYTICS.EXE
3472	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEC54.tmp	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEC54.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3792	MSWDM.EXE
3792	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2692	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	90
PID 3144 wrote to memory of 2692	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	90
PID 3144 wrote to memory of 2692	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	90
PID 3144 wrote to memory of 3792	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	91
PID 3144 wrote to memory of 3792	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	91
PID 3144 wrote to memory of 3792	3144	9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe	91
PID 3792 wrote to memory of 4772	3792	MSWDM.EXE	92
PID 3792 wrote to memory of 4772	3792	MSWDM.EXE	92
PID 3792 wrote to memory of 3472	3792	MSWDM.EXE	93
PID 3792 wrote to memory of 3472	3792	MSWDM.EXE	93
PID 3792 wrote to memory of 3472	3792	MSWDM.EXE	93

C:\Users\Admin\AppData\Local\Temp\9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3144
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2692
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devEC54.tmp!C:\Users\Admin\AppData\Local\Temp\9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\9E89FF2AA39F7488A3B060C7C8570D10_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4772
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devEC54.tmp!C:\Users\Admin\AppData\Local\Temp\9E89FF2AA39F7488A3B060C7C8570D10_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:8
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9E89FF2AA39F7488A3B060C7C8570D10_NEIKIANALYTICS.EXE

Filesize
212KB

MD5
4238f0ecb791bd8e2481506d6c30f240

SHA1
a04a666604dd9ce0c249699f36cc189f02e9624f

SHA256
ee3f423b572bc1a8000c0e1340ca952bfe6f938704c16b28ff5106ff8186759f

SHA512
581ebd3dce47b630eabda25cdc590d40c4e7227aad48a04dcc71a9d72e3fa71523a9a65e6731d0beb4817984dc001314ce362be754b2d4b2ded1334c37752dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e89ff2aa39f7488a3b060c7c8570d10_NeikiAnalytics.exe

Filesize
212KB

MD5
28599725d35a92df5b50a9cf5f0b59ec

SHA1
2be64283adf6f8d865016de080fd5982179f1ff9

SHA256
4ee5c50fe71d64b38a1ee47df103b12eb85c7e532c4bf84f59e212ac7f69bcdb

SHA512
1f00626dcc4c5fd2681f136d65cbc127f77a0e6c51eeca3e863049fc0016f6e4865983ca234577fb74a4db273c8c7ca856072b6fc0bdedcc91970924829e9634

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
8a351d3a4fdac918dccdbcb21c60b59c

SHA1
bdf5b7d41c4d62fbb23f71e9d7f7a4b9d7c4815a

SHA256
7c5d7b0369ef97f79d2a0492f2fc9f1e784f3f3317bd375c03bf0bf071673c95

SHA512
761a6aa05f6cf9892b839069eb298a5d3eec0e2e9dc0b287f05c38c984c388b7ce1e4adf9f371afabf342b3b38ba8814492eab3da2421597589f88ff338f2d2a

Download Submit
C:\Windows\devEC54.tmp

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/2692-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2692-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3144-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3144-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3472-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3792-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3792-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads