dce9644852ece6a904eb55ea0cf36c87cbe2a9c085ffd7adde4dacef05ab9f09

General

Target

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Size

115KB
MD5

0ce4697b70c169aee7ba6f58b5acf900
SHA1

8ec66112a006764812dcd0ad816962bf9a7c2ffa
SHA256

dce9644852ece6a904eb55ea0cf36c87cbe2a9c085ffd7adde4dacef05ab9f09
SHA512

e9a395738ff98731cc32075b9f3aa6f74dcbc387acb66a49c8e92abfd1e499911673cd91a5f3db131e4c602adde92e05ce5c7a8af2f947a50716e33746b66032
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FiG+sdguxnSngBNpy5G0Aox9cJNWIfoEb:HQC/yj5JO3MniG+Hu5y5Lxxu6IfoC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

3004 MSWDM.EXE
3644 MSWDM.EXE
2944 0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
2092 MSWDM.EXE

pid	process
3004	MSWDM.EXE
3644	MSWDM.EXE
2944	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
2092	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File opened for modification	C:\Windows\dev4759.tmp	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4759.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

3644 MSWDM.EXE
3644 MSWDM.EXE

pid	process
3644	MSWDM.EXE
3644	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 2964 wrote to memory of 3004	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2964 wrote to memory of 3004	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2964 wrote to memory of 3004	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2964 wrote to memory of 3644	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2964 wrote to memory of 3644	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 2964 wrote to memory of 3644	2964	0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 2944	3644	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 3644 wrote to memory of 2944	3644	MSWDM.EXE	0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
PID 3644 wrote to memory of 2092	3644	MSWDM.EXE	MSWDM.EXE
PID 3644 wrote to memory of 2092	3644	MSWDM.EXE	MSWDM.EXE
PID 3644 wrote to memory of 2092	3644	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3004

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev4759.tmp!C:\Users\Admin\AppData\Local\Temp\0ce4697b70c169aee7ba6f58b5acf900_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:2944

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev4759.tmp!C:\Users\Admin\AppData\Local\Temp\0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0CE4697B70C169AEE7BA6F58B5ACF900_NEIKIANALYTICS.EXE

Filesize
115KB

MD5
b273abc194ec4ead3bff2c43d0900891

SHA1
ec287f47da27efb708079b1d006fc9cd0db4ca46

SHA256
3bdc3fec418905163e9b35103cdd834b2d36330f3b2b5741b0ab3827eaf44add

SHA512
99d820495836386d39b1afed6f2a05572f7177db196cd429a60c264b0992b0203b9b904359778ea195d9fe08c4197c60e49cb6479ec9e17912f864fb9253ab61

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a587704ff11199aa99e958a49d6bfd35

SHA1
ecd0936cf9adc9d2e6d379d68d34a340ca473da7

SHA256
d97cbb9d5212b8af14afa8a218d5553cf9c912d1f743e4deedcfbbe482a68abf

SHA512
ebf23a92898d8a4d2e2646a2b6a5aace8976d89651d154ca0f642baf0e750d24061314d953b6977b87cbce25a1a13c3a7b5b49a9eda54a677f20a9097fda9b67

Download Submit
C:\Windows\dev4759.tmp

Filesize
35KB

MD5
ea3b798870a5c6e159bb05f432b0438a

SHA1
17cdd851ea58dd00296bd44c031484ef05342ee0

SHA256
3e7a5f7a2c4d88b30de76681d2759119aaf479f5787b6466dc175a852e50a1c7

SHA512
fc3f5089d2a57e38d285e5a90f2be63431d40c2c443dec41b783aaf5c1a6f4ab9b6904cd5fece18d6dc15664f00d7d5d0ba27d226f7623fe02c2f76f57a17524

Download Submit
memory/2092-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3004-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads