3da22539a58d8f6abcd7128d95028d9b2b4051aab177534dacc3665062307903

General

Target

895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
Size

89KB
MD5

895bf698b931481da71cb994bd0a5fa0
SHA1

6f1a31d980c842f3fa3e623c64fa353ca291b4da
SHA256

3da22539a58d8f6abcd7128d95028d9b2b4051aab177534dacc3665062307903
SHA512

c55ef1d7ee1add5dd495087bdae6a13c3f13eef4e04246eac1e4b8e4bc478291f19092904a2bc9c118f7042d15072bf05ea60c90b0a0ac3b4695489d1e168a0d
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4F9G+stEToa9D4ZQKbgZi1dst7x9PxS:HQC/yj5JO3Mn9G++lZQKbgZi1St7xS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1068	MSWDM.EXE
2076	MSWDM.EXE
2108	895BF698B931481DA71CB994BD0A5FA0_NEIKIANALYTICS.EXE
2644	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1068	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev23A7.tmp	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev23A7.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1068	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2076	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2076	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2076	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2076	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 1068	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 1068	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 1068	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	29
PID 2060 wrote to memory of 1068	2060	895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe	29
PID 1068 wrote to memory of 2108	1068	MSWDM.EXE	30
PID 1068 wrote to memory of 2108	1068	MSWDM.EXE	30
PID 1068 wrote to memory of 2108	1068	MSWDM.EXE	30
PID 1068 wrote to memory of 2108	1068	MSWDM.EXE	30
PID 1068 wrote to memory of 2644	1068	MSWDM.EXE	31
PID 1068 wrote to memory of 2644	1068	MSWDM.EXE	31
PID 1068 wrote to memory of 2644	1068	MSWDM.EXE	31
PID 1068 wrote to memory of 2644	1068	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2060
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2076
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev23A7.tmp!C:\Users\Admin\AppData\Local\Temp\895bf698b931481da71cb994bd0a5fa0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\895BF698B931481DA71CB994BD0A5FA0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2108
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev23A7.tmp!C:\Users\Admin\AppData\Local\Temp\895BF698B931481DA71CB994BD0A5FA0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\895BF698B931481DA71CB994BD0A5FA0_NEIKIANALYTICS.EXE

Filesize
89KB

MD5
f90777b6e219c151e0ec082e44f04c31

SHA1
ed714c13c98464e66becb25eb493579e80d6cf5b

SHA256
c2c9ceaa9034a74e7e9d5833b3cacfd9121384b50f527d2c5149845a51ac3634

SHA512
18531a33ff2ba28c7f22febe967ec694c02e550f147a6c373faa4629b5bae56dd62af2ad822be9022341fde5081acf2f88ab4deda4e62ed2e0b9e5181ffbb3cd

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2af966e7672f1e9c626245551247fb3a

SHA1
e951cfe9ab27dad1f3df6e8189d0cf9b6dbbf66c

SHA256
6b493904f292ff29033f7c6570485a7bef4d83eb9a71b2e64b9fc3308017a6c8

SHA512
dfa2ae6cf2ff64bb9e3f884c02d348a9e615e94e6cbd05ce8bc98ec98d22dead2b6007e7da9e1d9e2317d53366c58611100146a68ff44526e93ea71d2561c98e

Download Submit
C:\Windows\dev23A7.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/1068-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1068-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2076-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads