3fbfd5f2d6a40a1dfe50fea938c91ce3954a644acd51c021b9a1f0b389ebe711

Analysis

max time kernel
29s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe
Size

95KB
MD5

5be147eed770b938689d468d99a88b40
SHA1

0cd84eeb96c4275701d2a67a2f366088bd0de3dc
SHA256

3fbfd5f2d6a40a1dfe50fea938c91ce3954a644acd51c021b9a1f0b389ebe711
SHA512

2228c7cfec76ad75a4d4186368a9496570cd67c2c691f17ee812e3f293ff38f9091d851e92d7dd0c668461291f0177f1e722a32e8881c826fd66f0473a5c8e87
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FvG+sdguxnSngBNpT/mzNnxPAxEAz0+/8omCi:HQC/yj5JO3MnvG+Hu54Fx4xE8EomCP1o

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

MSWDM.EXEMSWDM.EXE5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE

pid process

3636 MSWDM.EXE
1140 MSWDM.EXE
3616 5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE

pid	process
3636	MSWDM.EXE
1140	MSWDM.EXE
3616	5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5be147eed770b938689d468d99a88b40_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

Processes:

5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2FBB.tmp	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

1140 MSWDM.EXE
1140 MSWDM.EXE

pid	process
1140	MSWDM.EXE
1140	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5be147eed770b938689d468d99a88b40_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 5312 wrote to memory of 3636	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 5312 wrote to memory of 3636	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 5312 wrote to memory of 3636	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 5312 wrote to memory of 1140	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 5312 wrote to memory of 1140	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 5312 wrote to memory of 1140	5312	5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe	MSWDM.EXE
PID 1140 wrote to memory of 3616	1140	MSWDM.EXE	5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE
PID 1140 wrote to memory of 3616	1140	MSWDM.EXE	5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE
PID 1140 wrote to memory of 3616	1140	MSWDM.EXE	5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE

C:\Users\Admin\AppData\Local\Temp\5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5312

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3636

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev2FBB.tmp!C:\Users\Admin\AppData\Local\Temp\5be147eed770b938689d468d99a88b40_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\5BE147EED770B938689D468D99A88B40_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
3d9fadea439980d0b99fb3db6f192870

SHA1
f69e18e35638033a4ee2056744039382e7dc0151

SHA256
ed57a3e0ebec97af00fa0d8b43036bdde3e01c55e6ad45ac8b7276569c7a6c52

SHA512
cc8a087a83ca1755d9eb599c279f717993010681fc09a4eb7d4eb286edc513e354751efc333f65c0d37c2b2db5e6b55881683d3491a89775c08555dd4e4777d3

Download Submit
C:\Windows\dev2FBB.tmp

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
memory/1140-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3636-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3636-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5312-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5312-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download