6a535e8e8745af860eab9901e1aaed16b2962fa408f4e73825f33e9de02c7e5b

Analysis

max time kernel
24s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
Size

104KB
MD5

a9c1a80cdfd2fbab7964cbcedbd98c20
SHA1

0e0f8f4cb32655dcb68f25f920810a664ed3a003
SHA256

6a535e8e8745af860eab9901e1aaed16b2962fa408f4e73825f33e9de02c7e5b
SHA512

3f243fe70d95872e4c760b560ed761334fd9e820e388c1bac98d5054d5f34e28b5d41ae529c4dc827aa9dbcd4012b3392c4ad87f8e92f82d9fadfeae5e17a3a6
SSDEEP

3072:HQC/yj5JO3MntgG+TfH5TZsYnjIdbCNNoV/Xi:wlj7cMnv+TRT9n0duP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4988	MSWDM.EXE
4644	MSWDM.EXE
3340	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4DB2.tmp	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4DB2.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	MSWDM.EXE
4644	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4988	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	83
PID 212 wrote to memory of 4988	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	83
PID 212 wrote to memory of 4988	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	83
PID 212 wrote to memory of 4644	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	84
PID 212 wrote to memory of 4644	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	84
PID 212 wrote to memory of 4644	212	a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe	84
PID 4644 wrote to memory of 3340	4644	MSWDM.EXE	85
PID 4644 wrote to memory of 3340	4644	MSWDM.EXE	85
PID 4644 wrote to memory of 3340	4644	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:212
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4988
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4DB2.tmp!C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4DB2.tmp!C:\Users\Admin\AppData\Local\Temp\A9C1A80CDFD2FBAB7964CBCEDBD98C20_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9c1a80cdfd2fbab7964cbcedbd98c20_NeikiAnalytics.exe

Filesize
104KB

MD5
555e60ae3561ddf7b334fc52971bc13e

SHA1
dd569f42c1b7002717508e4f3726ad6e13943575

SHA256
eebbdc0d5f35ef91afe6c2c7aff5a2f69014fe7f3e1bc1870c894f99c7ac8a24

SHA512
0fb09dafbc13d0a856cde5d8a494f8fbdade5538640579458f00aec50a0952ee637b46c7a128cc828f50524809192a3a8128e499fd3884535a211f190765b620

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
b319afee8424fd20d10b6da7a12c7dde

SHA1
68a6d36f09571772ed6a37fcefe74ddf2b2982ce

SHA256
ff1499f5fc1ff13b65427b7d971c27bc153f3311b3e26232ef8cd57c9faf0e0e

SHA512
cd79380bb5d4a0921ee1d9bfad49bdebed82daca5a219cc3e2a06aae92e0a9b2bccc33cce595d75157f1738b25b04bd3fefcdff505867738caa0759a02c8fafd

Download Submit
C:\Windows\dev4DB2.tmp

Filesize
56KB

MD5
18fe30f810364bd33c396c9ee428f4b4

SHA1
362433117f9e00a8da6cb54fcd81365fe0168566

SHA256
7f13eeb5dca39d05e24b9eb069c6dcb2748633822d67288a8bf8b7e21cdddf55

SHA512
160147777466016b908a1a663e3457ed8dc6d0d4c3bb6e75b54206a3e84e8462f1cddf3f23a248d8cbea079615f5f58c4488e016dbdde04b9a0a03db9ce70660

Download Submit
memory/212-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/212-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3340-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4644-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4644-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download