df6edfef81a1d9f56430a4e1dee1d1a2c0d9ac34aafbd2da0694a821a8636600

General

Target

8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
Size

150KB
MD5

8b2e0a2aa80ae38e20fb66695783b640
SHA1

11da47bc857d6134f36d91c53c76af2df5a4758b
SHA256

df6edfef81a1d9f56430a4e1dee1d1a2c0d9ac34aafbd2da0694a821a8636600
SHA512

835f6ed8d7efa47e8ff93fac69e026d50e400c645e3fe02ec1afa30900c6909c6b3e579fa0dd3c5c0a5c1103bff07c1b75f60ed5594e2428c2e898e98760d277
SSDEEP

3072:HQC/yj5JO3MnMG+Hu54Fx4xE8z7LK4ddJMY86ipmns6Y:wlj7cMnd+OEXQKCJMY2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

1256 MSWDM.EXE
876 MSWDM.EXE
4044 8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
3296 MSWDM.EXE

pid	process
1256	MSWDM.EXE
876	MSWDM.EXE
4044	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
3296	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

MSWDM.EXE8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\dev46CD.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev46CD.tmp	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

876 MSWDM.EXE
876 MSWDM.EXE

pid	process
876	MSWDM.EXE
876	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 3644 wrote to memory of 1256	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 1256	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 1256	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 876	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 876	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 3644 wrote to memory of 876	3644	8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe	MSWDM.EXE
PID 876 wrote to memory of 4044	876	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 876 wrote to memory of 4044	876	MSWDM.EXE	8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
PID 876 wrote to memory of 3296	876	MSWDM.EXE	MSWDM.EXE
PID 876 wrote to memory of 3296	876	MSWDM.EXE	MSWDM.EXE
PID 876 wrote to memory of 3296	876	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3644
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1256
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev46CD.tmp!C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev46CD.tmp!C:\Users\Admin\AppData\Local\Temp\8B2E0A2AA80AE38E20FB66695783B640_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b2e0a2aa80ae38e20fb66695783b640_NeikiAnalytics.exe

Filesize
150KB

MD5
a128a735f08b7372d3cd12802e8c22b3

SHA1
892dcf15c3e29ce4168228ad7059c5e95d598582

SHA256
bc175f36469a69f781cb4301d34b6ef4433dd3f04f2ca0590f2adc19d107d4b8

SHA512
a8b6ba05b9d185cab88e252209ecdb2d15e966e6f46f970647431d85a7c246104d67063b2cc8c623a6932ec4c20f1b6c536c84375b160235d74c051884bc439a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
90KB

MD5
8f2d28e86da4e46fc37522f9015ebdbc

SHA1
8523897a7511249a248565fdbee289196f7b2866

SHA256
b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240

SHA512
bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8

Download Submit
C:\Windows\dev46CD.tmp

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
memory/876-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1256-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3296-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3644-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads