41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743

General

Target

41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe
Size

64KB
MD5

20d07876c8b415ba451f05187a00e370
SHA1

9be132071b0b7404e6b19288a60dc807dfa484df
SHA256

41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743
SHA512

32ca7e3716eb4527a4a6e3b69cc9bdf03c98ae98b03bbe7819ef2ff642d96dab0f3ed4ada5732e82a76ae16680c89c5794c677d152882a252a93ca09fa873740
SSDEEP

768:rxG9oZl+F4jHPoxj7/9OOrQqjNAwNx1YnS6hvyV6qwcNPHdoSQQTRJPzkKAEN2:rxG0+a0V7JCaTYnSGMl/qSd/PwKAEc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1800	MSWDM.EXE
2604	MSWDM.EXE
2628	41583CFAF5E8819B0C7C2110D8D6457CA10A98C9F055B57826E70ABBC37D1743_NEIKIANALYTICS.EXE
1120	Process not Found
2928	MSWDM.EXE

Loads dropped DLL 3 IoCs

pid	Process
2604	MSWDM.EXE
2604	MSWDM.EXE
2568	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2080-1-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000c000000013144-6.dat	upx
behavioral1/memory/1800-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2604-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2080-13-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2928-34-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000d0000000158d9-30.dat	upx
behavioral1/memory/2604-38-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1800-39-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev12B6.tmp	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev12B6.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1800	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1800	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1800	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 1800	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2604	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2604	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2604	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2604	2080	41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe	29
PID 2604 wrote to memory of 2628	2604	MSWDM.EXE	30
PID 2604 wrote to memory of 2628	2604	MSWDM.EXE	30
PID 2604 wrote to memory of 2628	2604	MSWDM.EXE	30
PID 2604 wrote to memory of 2628	2604	MSWDM.EXE	30
PID 2604 wrote to memory of 2928	2604	MSWDM.EXE	32
PID 2604 wrote to memory of 2928	2604	MSWDM.EXE	32
PID 2604 wrote to memory of 2928	2604	MSWDM.EXE	32
PID 2604 wrote to memory of 2928	2604	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1800
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev12B6.tmp!C:\Users\Admin\AppData\Local\Temp\41583cfaf5e8819b0c7c2110d8d6457ca10a98c9f055b57826e70abbc37d1743_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\41583CFAF5E8819B0C7C2110D8D6457CA10A98C9F055B57826E70ABBC37D1743_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev12B6.tmp!C:\Users\Admin\AppData\Local\Temp\41583CFAF5E8819B0C7C2110D8D6457CA10A98C9F055B57826E70ABBC37D1743_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41583CFAF5E8819B0C7C2110D8D6457CA10A98C9F055B57826E70ABBC37D1743_NEIKIANALYTICS.EXE

Filesize
64KB

MD5
b4c38d20d6bf15112320ab18ba64c9b1

SHA1
d67ac30e4e2abfd65a07ac2561664247433d0c05

SHA256
893f128ce7fc77869a22291fefa705629cead3484b422993b5a9dc63f458f098

SHA512
04a1cefbae8435938111969210cf46d2463c0861981d700944044767b9cdb19291e4d909e78653f6a33750d9b00d03d96898a23e66240f87e9b9e24a08c34541

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
fcdbf839561963c0153432aafb2edd88

SHA1
d34b2c4fd725774f93d34ce411caee8a72c3cd46

SHA256
fd42fb02fe0e758cff209dabd8916a27cc9ae96632cb491eb0d484410a91f127

SHA512
f2e8e8257b26981cb6baf0d52d20f16ca5ed9649c4447da631a362261bbc933ab4255b9dbedc6e5852bf2c01bb5fd8d43d7b72d0457fb927713a1e35602d5c07

Download Submit
C:\Windows\dev12B6.tmp

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/1800-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1800-39-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2080-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2604-35-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2604-38-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2628-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2928-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads