69cb6f8d7a9de92e1b3088e34cac69af9832ffb8fda6c8eecd1680acd7cf0e5e

General

Target

37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Size

64KB
MD5

37433c83063a40bc8e312b87a1203620
SHA1

88bd1c80974bce4e6cecb37179f82b5b178a389f
SHA256

69cb6f8d7a9de92e1b3088e34cac69af9832ffb8fda6c8eecd1680acd7cf0e5e
SHA512

9b333f1196ae6652dda6e6d8a3827fa86c3982dc3c97c25f436264802a7dc0d5889ae647f4b939430f6c4a8d99eb8707f2e2c6979b6b038a33f677c0cbb64cd2
SSDEEP

768:rxG9oZl+F4jHPoxj7/9OOrQqjNAwNx1YnS6hvyV6qwcM4MMPHdoSQQTRJPzkKAEi:rxG0+a0V7JCaTYnSGMkc/qSd/PwKAEi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1920	MSWDM.EXE
2516	MSWDM.EXE
3044	37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE
2540	MSWDM.EXE

Loads dropped DLL 3 IoCs

pid	Process
2516	MSWDM.EXE
2516	MSWDM.EXE
2992	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1908-1-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000b000000014ef8-4.dat	upx
behavioral1/memory/2516-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1920-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1908-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x0008000000015c3d-29.dat	upx
behavioral1/memory/2540-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2516-36-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1920-37-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF3D.tmp	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF3D.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2516	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1920	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1920	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1920	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1920	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 2516	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	29
PID 1908 wrote to memory of 2516	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	29
PID 1908 wrote to memory of 2516	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	29
PID 1908 wrote to memory of 2516	1908	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	29
PID 2516 wrote to memory of 3044	2516	MSWDM.EXE	30
PID 2516 wrote to memory of 3044	2516	MSWDM.EXE	30
PID 2516 wrote to memory of 3044	2516	MSWDM.EXE	30
PID 2516 wrote to memory of 3044	2516	MSWDM.EXE	30
PID 2516 wrote to memory of 2540	2516	MSWDM.EXE	32
PID 2516 wrote to memory of 2540	2516	MSWDM.EXE	32
PID 2516 wrote to memory of 2540	2516	MSWDM.EXE	32
PID 2516 wrote to memory of 2540	2516	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1908
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1920
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devF3D.tmp!C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devF3D.tmp!C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE

Filesize
64KB

MD5
74672cafa19c5aa1fc55c82579d0e24d

SHA1
06d4d6f1c1d0aa206a4625a29d5c84cf4e7d2b93

SHA256
b88016cdd2633dfb25c6e54138cfcde9ed043c3063111637e3b2f4e1eb555aa2

SHA512
be6d7af19c14ea5a9487ada4ee8b1ba89aed17f9188e28cd1085f6d0f5c87ada5a1b10b227a9f2feeec25c9bb5dde003ef44e7a8ed6cf428c41771ed56dac271

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\devF3D.tmp

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/1908-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1908-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1920-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1920-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2516-36-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2540-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3044-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads