56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3

General

Target

56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe
Size

368KB
MD5

f9c1782ae2a10c81bdbcf15d740d7f20
SHA1

2d48ed8380b9181872bb1d8d6d69b916b1f221c1
SHA256

56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3
SHA512

6ce266100b3d294027382c2256cf2d94ce9d420daa3bf1657742c554a6d3313845c79efaaeae0681e3f4ce427ad90f0fe027391b96c7854d7fa1ba51b32fa96c
SSDEEP

6144:wlj7cMn++sWwhutm0PqUxMaADF2Vd7Er6tlDSlt9A+Yu14mQisEIHJGeNafG9rFo:wlb++xrQ9H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3248	MSWDM.EXE
3928	MSWDM.EXE
4820	56F76FD221765190F9A254B2C87C594A3129637DBE59D253860C0AF96AFEB1D3_NEIKIANALYTICS.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev39AD.tmp	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3248	MSWDM.EXE
3248	MSWDM.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3928	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	83
PID 1920 wrote to memory of 3928	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	83
PID 1920 wrote to memory of 3928	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	83
PID 1920 wrote to memory of 3248	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	84
PID 1920 wrote to memory of 3248	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	84
PID 1920 wrote to memory of 3248	1920	56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe	84
PID 3248 wrote to memory of 4820	3248	MSWDM.EXE	85
PID 3248 wrote to memory of 4820	3248	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1920
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3928
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev39AD.tmp!C:\Users\Admin\AppData\Local\Temp\56f76fd221765190f9a254b2c87c594a3129637dbe59d253860c0af96afeb1d3_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\56F76FD221765190F9A254B2C87C594A3129637DBE59D253860C0AF96AFEB1D3_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4820
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev39AD.tmp!C:\Users\Admin\AppData\Local\Temp\56F76FD221765190F9A254B2C87C594A3129637DBE59D253860C0AF96AFEB1D3_NEIKIANALYTICS.EXE!
    3⤵
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56F76FD221765190F9A254B2C87C594A3129637DBE59D253860C0AF96AFEB1D3_NEIKIANALYTICS.EXE

Filesize
368KB

MD5
6eaf492cd10b3ea60c71019d06a07419

SHA1
6cc6bbdfd652dd3cef2b8701ccd0b0bc42e809d2

SHA256
66be9ef9f2cb7006f815eaa456c20f8b176df6bd6f65c44a5fbab0109d4332d3

SHA512
ac1f1814a5d75c793a87a4d293a6275f171b768190345b7c6384d96c68366deae8986e0679ba7bc94a755618d3c80c40dceffbd9a58a6f0bc97f451db71a3daa

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
6d7903728b74f798eb09c32e5ce442ac

SHA1
6b06f7968540eb77590a1be2b9c7de6211c0ec22

SHA256
7707c6da44fe61ffd35227daebf83a8c01dcc5314d4913e75b32412f24a06729

SHA512
9f4767fb95e8c7db8ab4675f2ecdd7d2165fa3461ff71afbde2782b87465c60a6b05803fdcb263aeb1f65a9db885046aee4dfe8b4f7bffdfe231bdd0496bd023

Download Submit
C:\Windows\dev39AD.tmp

Filesize
320KB

MD5
084b8c3e4293c6537947c0e9975ba91f

SHA1
e0a1e09e988b0ddc2972fed4fe3ce40e3bb7ae40

SHA256
06ea7505d07348399f04b89aaf86355fee3a30241affb564607d303bf92d311b

SHA512
9e7275c2bbec625525773126502296b6f9b393e69393a36fc1baa77cc7b036941296b37e2518d65682d3127703bffa4ff7d5fba63bb81256417a845a57689d2a

Download Submit
memory/1920-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1920-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2364-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3248-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3248-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3248-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3928-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads