dce9644852ece6a904eb55ea0cf36c87cbe2a9c085ffd7adde4dacef05ab9f09

General

Target

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Size

115KB
MD5

0ce4697b70c169aee7ba6f58b5acf900
SHA1

8ec66112a006764812dcd0ad816962bf9a7c2ffa
SHA256

dce9644852ece6a904eb55ea0cf36c87cbe2a9c085ffd7adde4dacef05ab9f09
SHA512

e9a395738ff98731cc32075b9f3aa6f74dcbc387acb66a49c8e92abfd1e499911673cd91a5f3db131e4c602adde92e05ce5c7a8af2f947a50716e33746b66032
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNpy5G0Aox9cJNWIfoEb:HQC/yj5JO3MniG+Hu5y5Lxxu6IfoC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

MSWDM.EXEMSWDM.EXE0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2032 MSWDM.EXE
2384 MSWDM.EXE
1216 0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
1204
2676 MSWDM.EXE
Loads dropped DLL 3 IoCs

Processes:

MSWDM.EXE

pid process

2032 MSWDM.EXE
2652
1204

pid	process
2032	MSWDM.EXE
2384	MSWDM.EXE
1216	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
1204
2676	MSWDM.EXE

pid	process
2032	MSWDM.EXE
2652
1204

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
File opened for modification	C:\Windows\devC02.tmp	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2032 MSWDM.EXE

pid	process
2032	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 1720 wrote to memory of 2384	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2384	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2384	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2384	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2032	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2032	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2032	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 1720 wrote to memory of 2032	1720	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2032 wrote to memory of 1216	2032	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 2032 wrote to memory of 1216	2032	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 2032 wrote to memory of 1216	2032	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 2032 wrote to memory of 1216	2032	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 2032 wrote to memory of 2676	2032	MSWDM.EXE	MSWDM.EXE
PID 2032 wrote to memory of 2676	2032	MSWDM.EXE	MSWDM.EXE
PID 2032 wrote to memory of 2676	2032	MSWDM.EXE	MSWDM.EXE
PID 2032 wrote to memory of 2676	2032	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2384

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devC02.tmp!C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:1216

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devC02.tmp!C:\Users\Admin\AppData\Local\Temp\0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
a587704ff11199aa99e958a49d6bfd35

SHA1
ecd0936cf9adc9d2e6d379d68d34a340ca473da7

SHA256
d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf

SHA512
ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67

Download Submit
\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
memory/1720-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-26-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2032-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2384-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2384-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2676-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads