ec0e6d7ead55542c37eab0fb6047ed6e620ada368f22aa0cab49e4739d8d292c

General

Target

ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe
Size

121KB
MD5

ade31c23c289a0775937c77300b55df0
SHA1

928afec069b0d3000e6d03dac231fd59a9939909
SHA256

ec0e6d7ead55542c37eab0fb6047ed6e620ada368f22aa0cab49e4739d8d292c
SHA512

b480f369d9190bbb53a6b2c589f681fff99f0909f8014b366c317804d15137314fc540595e1ac0feffeee2c4238b0fdaa100bb38a856474590dea62a5eafaebd
SSDEEP

3072:HQC/yj5JO3MnjG+Hu54Fx4xE8plZQKbgZi1St7xB:wlj7cMn6+OEXAwKbgZz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2012	MSWDM.EXE
2060	MSWDM.EXE
2664	ADE31C23C289A0775937C77300B55DF0_NEIKIANALYTICS.EXE
2744	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2060	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev1AB2.tmp	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1AB2.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2060	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2012	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2012	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2012	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2012	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 2060	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2060	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2060	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	29
PID 1640 wrote to memory of 2060	1640	ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 2664	2060	MSWDM.EXE	30
PID 2060 wrote to memory of 2664	2060	MSWDM.EXE	30
PID 2060 wrote to memory of 2664	2060	MSWDM.EXE	30
PID 2060 wrote to memory of 2664	2060	MSWDM.EXE	30
PID 2060 wrote to memory of 2744	2060	MSWDM.EXE	31
PID 2060 wrote to memory of 2744	2060	MSWDM.EXE	31
PID 2060 wrote to memory of 2744	2060	MSWDM.EXE	31
PID 2060 wrote to memory of 2744	2060	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2012
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1AB2.tmp!C:\Users\Admin\AppData\Local\Temp\ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\ADE31C23C289A0775937C77300B55DF0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1AB2.tmp!C:\Users\Admin\AppData\Local\Temp\ADE31C23C289A0775937C77300B55DF0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADE31C23C289A0775937C77300B55DF0_NEIKIANALYTICS.EXE

Filesize
121KB

MD5
3b545fa464cab222c9dd9fb7d6ab2571

SHA1
b9e27ff26bc3042489e1f7ed92d973f7628515c4

SHA256
b6480243323a42a0dd064e694c46d9a52d2b5c0955c53c22b4ae29d2f16136e4

SHA512
c8a2edc1f72829d36f7bb716301f24b33d8f3deffe590d00adf77417c8e38b01b4c7f685a7542287752e15042dd3f5813d4b723cfa8a241b4b6720dd4f560ee5

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
f486960b968d8862d724b5eba57c2594

SHA1
0d33b81e1d4f577b2dee9574a4c54c5f152de9c9

SHA256
cf78efba62b9989ac8ade2117c6105ffa92cc071ecee27ee57517a9b34ce1c03

SHA512
236a28b8347de6c8650aa47b5a7069696b0da8c784c51cb75e22eaf884e606a7b27340747b146c981cd20fb2f08f11735302f1a8576dd628bfcbfa7b5dee82d5

Download Submit
\Users\Admin\AppData\Local\Temp\ade31c23c289a0775937c77300b55df0_NeikiAnalytics.exe

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/1640-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1640-8-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2012-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads