df6edfef81a1d9f56430a4e1dee1d1a2c0d9ac34aafbd2da0694a821a8636600

General

Target

8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
Size

150KB
MD5

8b2e0a2aa80ae38e20fb66695783b640
SHA1

11da47bc857d6134f36d91c53c76af2df5a4758b
SHA256

df6edfef81a1d9f56430a4e1dee1d1a2c0d9ac34aafbd2da0694a821a8636600
SHA512

835f6ed8d7efa47e8ff93fac69e026d50e400c645e3fe02ec1afa30900c6909c6b3e579fa0dd3c5c0a5c1103bff07c1b75f60ed5594e2428c2e898e98760d277
SSDEEP

3072:HQC/yj5JO3MnMG+Hu54Fx4xE8z7LK4ddJMY86ipmns6Y:wlj7cMnd+OEXQKCJMY2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2252 MSWDM.EXE
1856 MSWDM.EXE
2524 8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
2572 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

1856 MSWDM.EXE

pid	process
2252	MSWDM.EXE
1856	MSWDM.EXE
2524	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
2572	MSWDM.EXE

pid	process
1856	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1DDD.tmp	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1DDD.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

1856 MSWDM.EXE

pid	process
1856	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 2220 wrote to memory of 2252	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 2252	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 2252	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 2252	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 1856	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 1856	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 1856	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 2220 wrote to memory of 1856	2220	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 1856 wrote to memory of 2524	1856	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 1856 wrote to memory of 2524	1856	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 1856 wrote to memory of 2524	1856	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 1856 wrote to memory of 2524	1856	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 1856 wrote to memory of 2572	1856	MSWDM.EXE	MSWDM.EXE
PID 1856 wrote to memory of 2572	1856	MSWDM.EXE	MSWDM.EXE
PID 1856 wrote to memory of 2572	1856	MSWDM.EXE	MSWDM.EXE
PID 1856 wrote to memory of 2572	1856	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2220
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2252
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1DDD.tmp!C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2524
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1DDD.tmp!C:\Users\Admin\AppData\Local\Temp\8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE

Filesize
150KB

MD5
d272e07c1df697d14334ff3d72be2d6d

SHA1
bef92a49ec9e5dc43178734de605d6d9ef1bc2fe

SHA256
1e7f93116dd58bcec583abeb5aaf871220b4a2a3097571a5829e4af5524438fc

SHA512
7da05be06e1fa3a45e9395742087a231b63af3d839a79fcfbb09250d81c16a2bdc71ba05a02a0a67e3abf5165971d26580ee6b0a1e3952ff64cc5b90c1cf7ea6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
90KB

MD5
8f2d28e86da4e46fc37522f9015ebdbc

SHA1
8523897a7511249a248565fdbee289196f7b2866

SHA256
b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240

SHA512
bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8

Download Submit
\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
memory/1856-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1856-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2220-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2252-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads