5404a26308cb0193e3909167bd7b672155a40f390ac69c016b24076aebc7e319

General

Target

f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
Size

62KB
MD5

f084041a5a6c875e977679e30a1edce0
SHA1

777490c2769746e56f8e58011b6d1cb2b7482d64
SHA256

5404a26308cb0193e3909167bd7b672155a40f390ac69c016b24076aebc7e319
SHA512

236e9b5e23f25449d753a4bd789bf2c69e21c4591ce9f26b745511b15abe24bd49dd5e757facd5b2146194b567abe4815b57aabe616ac17cd92cf9711eb97a64
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FBG+sQjkrDl9HNVl5S:HQC/yj5JO3MnBG+NkrD7HNVl5S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2272	MSWDM.EXE
2548	MSWDM.EXE
2708	F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE
2704	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2548	MSWDM.EXE
2548	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev1E98.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1E98.tmp	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2272	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2272	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2272	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2272	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2548	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	29
PID 1728 wrote to memory of 2548	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	29
PID 1728 wrote to memory of 2548	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	29
PID 1728 wrote to memory of 2548	1728	f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe	29
PID 2548 wrote to memory of 2708	2548	MSWDM.EXE	30
PID 2548 wrote to memory of 2708	2548	MSWDM.EXE	30
PID 2548 wrote to memory of 2708	2548	MSWDM.EXE	30
PID 2548 wrote to memory of 2708	2548	MSWDM.EXE	30
PID 2548 wrote to memory of 2704	2548	MSWDM.EXE	31
PID 2548 wrote to memory of 2704	2548	MSWDM.EXE	31
PID 2548 wrote to memory of 2704	2548	MSWDM.EXE	31
PID 2548 wrote to memory of 2704	2548	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2272
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1E98.tmp!C:\Users\Admin\AppData\Local\Temp\f084041a5a6c875e977679e30a1edce0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1E98.tmp!C:\Users\Admin\AppData\Local\Temp\F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F084041A5A6C875E977679E30A1EDCE0_NEIKIANALYTICS.EXE

Filesize
62KB

MD5
15f2b1516ea9ad7338e4779ef9d1d55d

SHA1
434f6d275eaf1c6a0139a47c72a535eeedaad95a

SHA256
6b9377f830e4b8853c5772492789baf5ab1b0c6194b7f00d410570c0cebea4d0

SHA512
110dbfe457a76c03e72acfb4334461a63fa4d0f02f955b90cc736e825e0007a26aa5244c599194ff6e05adb3d4476513575fbf88d52ff23b5d7ed4f32ba21767

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
C:\Windows\dev1E98.tmp

Filesize
15KB

MD5
f4dfd83153e8c9088ae2db704107060d

SHA1
f1aefc68cd03ea536e75047554e59edbb453ecfc

SHA256
89aa5d62e788a6cde675d3235af41c5c353052baeba525650874cc1f4dab6d07

SHA512
4521655154e890e1b158791537c64b9cb5c1de6469dda047cc543d1562991129e11a3f51050752e1c1dae73798371cbe93318a3f23abd7f99c6398a74f26c28f

Download Submit
memory/1728-7-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/1728-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1728-6-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2272-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2272-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-39-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-30-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2704-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads