9d9629dc6f6ece6615f80b629f7944a33b9fc1fb8ebaf2e64ae8e053e76fdcb3

General

Target

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
Size

1.7MB
MD5

65791fb5028800be7a2be147b5363400
SHA1

e1780566adbaa93ceca2e879840cce86f19e4536
SHA256

9d9629dc6f6ece6615f80b629f7944a33b9fc1fb8ebaf2e64ae8e053e76fdcb3
SHA512

4856d274b4672a2b6a5490e6ff1c135b805097b724ca86808118e85bfaeb30d99c7a016c05be4faa596953aa79834d8c8c9e50977cfec70ee2c3f9ff71b8dbda
SSDEEP

49152:mbTChxKCnFnQXBbrtgb/iQvu0UHOaYmLH:m6hxvWbrtUTrUHO2L

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2232 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

WdExt.exe

pid process

2256 WdExt.exe
Loads dropped DLL 4 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.execmd.exeWdExt.exe

pid process

1612 65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
1984 cmd.exe
1984 cmd.exe
2256 WdExt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.exeWdExt.exe

pid process

1612 65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
2256 WdExt.exe

pid	process
2232	cmd.exe

pid	process
2256	WdExt.exe

pid	process
1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
1984	cmd.exe
1984	cmd.exe
2256	WdExt.exe

pid	process
1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
2256	WdExt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

65791fb5028800be7a2be147b5363400_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 1984	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 1984	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 1984	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 1984	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 2232	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 2232	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 2232	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1612 wrote to memory of 2232	1612	65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe	cmd.exe
PID 1984 wrote to memory of 2256	1984	cmd.exe	WdExt.exe
PID 1984 wrote to memory of 2256	1984	cmd.exe	WdExt.exe
PID 1984 wrote to memory of 2256	1984	cmd.exe	WdExt.exe
PID 1984 wrote to memory of 2256	1984	cmd.exe	WdExt.exe

C:\Users\Admin\AppData\Local\Temp\65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65791fb5028800be7a2be147b5363400_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
2⤵
- Deletes itself
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Se938B.tmp

Filesize
896B

MD5
be49ee9d1b6da594241ce3b7432c5d64

SHA1
d81e68b9bf84258af2e6b5595c4f5c8d53b9c901

SHA256
db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8

SHA512
0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
453e5c4eeb58a99efb6c31b48781f9b7

SHA1
0a2017170c73f588fcd1df4997935bcd65925bc7

SHA256
780d66792e6b75883749777ad5e56e0604b6173fde3ec6fc64de6d1aba514ea3

SHA512
112780157f5a1557ff458ba34c5745e25689ecd42638055d639c29c0bece63b7c257f7828cc769b3652b98a33a63de605357bfbf9ab8421b69fa32bc479fffee

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
268B

MD5
ce83ab2dfe2e8b399c3d812ad8efe5d3

SHA1
dc67585ae14361030b65db227b5ca6073f1383e4

SHA256
4c6b44b19a63040bbe7df84a353ef204c57a5d7843f7bb3e3460e70b1948bfa0

SHA512
24276740c7a6c8d004f09318ba1a654eb62db66253ce4c65ae807873808712bd9bd096d16a8701ed1c3389105429e99df2439e99689108042f75b695d26e4153

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
684c111c78f8bf6fcb5575d400e7669c

SHA1
d587894c0beffdff00ae6d358a5463ef18bcb485

SHA256
080fb4cd0b92884c89efab9161685f3ba0666cd9dab8de6c752bfe35e4e45716

SHA512
bcf748d21be502d7346f56ffc9ef13f3394d46c679d7cf17289d007e91b4ead2ec4035b3ccd5626eb378958cbb6ac371edfde8319433db9b709694595ae53e4f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
26fe046da4ee5b39c314ab7ce19a45ca

SHA1
2620964bd22024033cabe1c794c8688e217d2992

SHA256
958959caf15b047ada78b73e880f3d4cf574ba676c2de216bcec88067bf25d3c

SHA512
5fb218c1250c2a4c01bccde4c683247ce96ae6660c492da6f9bcacef02165b703a992781a5a4c56dc64975268ed2075a5b59b832696f7563b9634e49fcbaf2f9

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1612-0-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing