7e16a7ff55602ac3c052b9afca1e33b0907572f1b6a8d13b29dadf02ad3c89cb

General

Target

54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
Size

115KB
MD5

54c3721a563695f56b2a9af95d451970
SHA1

5e1740ee407fdc662cb3df3693d9aebbba6499a2
SHA256

7e16a7ff55602ac3c052b9afca1e33b0907572f1b6a8d13b29dadf02ad3c89cb
SHA512

95ffcecbca534d7c1db3dad8a12acaea152e716e9f26652cbafaa70b727e32c50b4987a9f916f7681a1de0fc91c2cb49c2386ed86d60946c4016fc9869b417bd
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FcG+sdguxnSngBNpZgi9lOkXYLBD7FPxj:HQC/yj5JO3MncG+Hu5ZgPkXYLBDlxj

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2744 MSWDM.EXE
2008 MSWDM.EXE
2052 54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
2628 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

2008 MSWDM.EXE

pid	process
2744	MSWDM.EXE
2008	MSWDM.EXE
2052	54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
2628	MSWDM.EXE

pid	process
2008	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev209B.tmp	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev209B.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2008 MSWDM.EXE

pid	process
2008	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 2408 wrote to memory of 2744	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2744	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2744	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2744	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2008	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2008	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2008	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2408 wrote to memory of 2008	2408	54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe	MSWDM.EXE
PID 2008 wrote to memory of 2052	2008	MSWDM.EXE	54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
PID 2008 wrote to memory of 2052	2008	MSWDM.EXE	54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
PID 2008 wrote to memory of 2052	2008	MSWDM.EXE	54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
PID 2008 wrote to memory of 2052	2008	MSWDM.EXE	54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
PID 2008 wrote to memory of 2628	2008	MSWDM.EXE	MSWDM.EXE
PID 2008 wrote to memory of 2628	2008	MSWDM.EXE	MSWDM.EXE
PID 2008 wrote to memory of 2628	2008	MSWDM.EXE	MSWDM.EXE
PID 2008 wrote to memory of 2628	2008	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2744

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev209B.tmp!C:\Users\Admin\AppData\Local\Temp\54c3721a563695f56b2a9af95d451970_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:2052

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev209B.tmp!C:\Users\Admin\AppData\Local\Temp\54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\54C3721A563695F56B2A9AF95D451970_NEIKIANALYTICS.EXE

Filesize
115KB

MD5
03dc4b5d2c8e640972c5ca96efe3b5b9

SHA1
77a0214daa2c8cd6a47c8ffd47f3bbe31d857063

SHA256
c626d71aed8907d56391e008270d362daa3beeec2089d2322c91cce09b5f85a2

SHA512
f1d1cd9243cfe0146657fc3b554354d2b4999cc0530da8e958b5be49d48ee040c7345723a911bcafae71b6d62f4874d294cce332169790334d8931d92aa6d97a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
f953eee07963c184dd80c54fe6d036a5

SHA1
c09ef25a25722b434f31e2e4ae9a53a77abfdb66

SHA256
58fe341cf6d3034c6b660f49e9619d7c9a189f1eca079e1aac0daf062d322fba

SHA512
4fb4d94008673a649f59e2e1971840d066f31808490ae8939f8d0c87995b39494a513c14ea3d8ed1966b13a268b80d923103bda27ff6c1dc64be938f1437fb95

Download Submit
C:\Windows\dev209B.tmp

Filesize
35KB

MD5
19e25386a9c5cb66495e0d4be8869822

SHA1
a44d071ee432576f7d10917ac33fe84000c67c65

SHA256
d56174b1ba2af749549e8140f8e5bec2a1cb5a62f8e7163a0a400852f1d6b926

SHA512
2120f0a140329e3f586d4d0e81b83afb6fc4a0728baa4de7421496f4e1a5ec982edfc1e24d72a17df7108eb95e59840b7a3dc3abca9b92a95fd6869cddf5b30b

Download Submit
memory/2008-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2008-25-0x00000000003D0000-0x00000000003EB000-memory.dmp

Filesize
108KB

Download
memory/2008-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2408-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2408-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2408-8-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/2628-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads