69cb6f8d7a9de92e1b3088e34cac69af9832ffb8fda6c8eecd1680acd7cf0e5e

General

Target

37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Size

64KB
MD5

37433c83063a40bc8e312b87a1203620
SHA1

88bd1c80974bce4e6cecb37179f82b5b178a389f
SHA256

69cb6f8d7a9de92e1b3088e34cac69af9832ffb8fda6c8eecd1680acd7cf0e5e
SHA512

9b333f1196ae6652dda6e6d8a3827fa86c3982dc3c97c25f436264802a7dc0d5889ae647f4b939430f6c4a8d99eb8707f2e2c6979b6b038a33f677c0cbb64cd2
SSDEEP

768:rxG9oZl+F4jHPoxj7/9OOrQqjNAwNx1YnS6hvyV6qwcM4MMPHdoSQQTRJPzkKAEi:rxG0+a0V7JCaTYnSGMkc/qSd/PwKAEi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3364	MSWDM.EXE
3224	MSWDM.EXE
1284	37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE
1972	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1592-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3224-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3364-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1592-9-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000b000000023385-7.dat	upx
behavioral2/memory/3224-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0007000000023426-23.dat	upx
behavioral2/memory/1972-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3364-26-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev444C.tmp	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev444C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3224	MSWDM.EXE
3224	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 3364	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	85
PID 1592 wrote to memory of 3364	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	85
PID 1592 wrote to memory of 3364	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	85
PID 1592 wrote to memory of 3224	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	86
PID 1592 wrote to memory of 3224	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	86
PID 1592 wrote to memory of 3224	1592	37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe	86
PID 3224 wrote to memory of 1284	3224	MSWDM.EXE	87
PID 3224 wrote to memory of 1284	3224	MSWDM.EXE	87
PID 3224 wrote to memory of 1972	3224	MSWDM.EXE	89
PID 3224 wrote to memory of 1972	3224	MSWDM.EXE	89
PID 3224 wrote to memory of 1972	3224	MSWDM.EXE	89

C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1592
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3364
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev444C.tmp!C:\Users\Admin\AppData\Local\Temp\37433c83063a40bc8e312b87a1203620_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev444C.tmp!C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37433C83063A40BC8E312B87A1203620_NEIKIANALYTICS.EXE

Filesize
64KB

MD5
9f8c98f33ae3afe49aa24492d9f9f336

SHA1
ef56006eb87f8f5e78d3952f89942bd421ca8547

SHA256
f641e1af3aeed540c6698e37e354d7d1274e44eef1dd28e6ed6f297bfe498f6a

SHA512
70ffb68e68037cad26e439a74d8a0ae805583de8240342b8a732836b09dfbd89df91e992a92fa8fe0e5bfe56ab185c6242a8fe16d6e912dcb4957d3f1a749c67

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\dev444C.tmp

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
memory/1284-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1592-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1592-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1972-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3224-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3364-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3364-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads