bb0ab732e5aeaa1c69a70e0c7fbdf4d853e8a4ff548ba8f2fc65419a8b1fbf6a

General

Target

ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe
Size

505KB
MD5

ef86c49fa313d68086ae3a3c9cfe36e0
SHA1

b3275257aa3994ea3217fdc9ae42e0a2d7dedaa2
SHA256

bb0ab732e5aeaa1c69a70e0c7fbdf4d853e8a4ff548ba8f2fc65419a8b1fbf6a
SHA512

3dba58c2a9f90bcc55842cff5667e262b9fb721146fac9d7a9f94ea9fad0d0668030fe7d7ae12f4495bf7f993bd6d1a8280a11df4b7c921ac78f29624d3676af
SSDEEP

12288:wlbw+b1gL5pRTcAkS/3hzN8qE43fm78V1:Wbw+G5jcAkSYqyE1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2208	MSWDM.EXE
2476	MSWDM.EXE
1776	EF86C49FA313D68086AE3A3C9CFE36E0_NEIKIANALYTICS.EXE
2664	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2208	MSWDM.EXE
2328	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1D31.tmp	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1D31.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2476	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2476	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2476	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2476	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2208	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2208	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2208	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2208	2216	ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe	29
PID 2208 wrote to memory of 1776	2208	MSWDM.EXE	30
PID 2208 wrote to memory of 1776	2208	MSWDM.EXE	30
PID 2208 wrote to memory of 1776	2208	MSWDM.EXE	30
PID 2208 wrote to memory of 1776	2208	MSWDM.EXE	30
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	32
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	32
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	32
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2476
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1D31.tmp!C:\Users\Admin\AppData\Local\Temp\ef86c49fa313d68086ae3a3c9cfe36e0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\EF86C49FA313D68086AE3A3C9CFE36E0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1D31.tmp!C:\Users\Admin\AppData\Local\Temp\EF86C49FA313D68086AE3A3C9CFE36E0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EF86C49FA313D68086AE3A3C9CFE36E0_NEIKIANALYTICS.EXE

Filesize
505KB

MD5
eb902a36244dd898b3e7f3662f455929

SHA1
1ca5f495fd815a740091c7170276faa0f4dc0e91

SHA256
29055ebdb0090ab47fcddb7dee0ca52f0c553a9a2d3e8081d7c586bac72e1189

SHA512
88e00d24ae705ed0b79a7a9a52b9fd8125a440a25e9a32d02270fbbc11f7f50f9f4df5980026a71af1b1feeddd72014f1f2a7ee1a0176f559bd88305eb7ef252

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
C:\Windows\dev1D31.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2208-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2476-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2476-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads