979533b9dd57eb22d4ba378b515d51d966ed9c914ac7a759adb24eb597933f68

General

Target

66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
Size

139KB
MD5

66a54f22be55c972f8efbf4fa6938770
SHA1

1d3811d1c6de14ee140e6e7b25838430ad5a3ea0
SHA256

979533b9dd57eb22d4ba378b515d51d966ed9c914ac7a759adb24eb597933f68
SHA512

5c98ef765e25c84df6d1a876dfee7d2400b6c5779e71d8541b3c02f7ed71fb0f038209e46d9beb466b462ff1bca3829717e1d074990b042380bd699a49db6aa7
SSDEEP

3072:HQC/yj5JO3MnzG+Hu54Fx4xE8GLK4ddJMY86iCmEYFRxs3:wlj7cMnq+OEXVKCJMZU3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

516 MSWDM.EXE
1220 MSWDM.EXE
992 66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE
4372 MSWDM.EXE

pid	process
516	MSWDM.EXE
1220	MSWDM.EXE
992	66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE
4372	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4EDB.tmp	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4EDB.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

1220 MSWDM.EXE
1220 MSWDM.EXE

pid	process
1220	MSWDM.EXE
1220	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 4296 wrote to memory of 516	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 4296 wrote to memory of 516	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 4296 wrote to memory of 516	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 4296 wrote to memory of 1220	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 4296 wrote to memory of 1220	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 4296 wrote to memory of 1220	4296	66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe	MSWDM.EXE
PID 1220 wrote to memory of 992	1220	MSWDM.EXE	66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE
PID 1220 wrote to memory of 992	1220	MSWDM.EXE	66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE
PID 1220 wrote to memory of 4372	1220	MSWDM.EXE	MSWDM.EXE
PID 1220 wrote to memory of 4372	1220	MSWDM.EXE	MSWDM.EXE
PID 1220 wrote to memory of 4372	1220	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4296

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:516

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev4EDB.tmp!C:\Users\Admin\AppData\Local\Temp\66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:992

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev4EDB.tmp!C:\Users\Admin\AppData\Local\Temp\66A54F22BE55C972F8EFBF4FA6938770_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66a54f22be55c972f8efbf4fa6938770_NeikiAnalytics.exe

Filesize
139KB

MD5
4edc44d60955131f90792b0b6c8e3c00

SHA1
d626ba2e93cf75909b1cd5cf08eee30f6bde9397

SHA256
8fe06f34689337c55a9e809b45d039a5db6b504fb3e2959a1d897eefd2641192

SHA512
d08dfb307b0492ed55b1a11d7f154165b294721b52e4d29341406931a7d5cc4d355e97f85c7500afaaca077bd0155e01759a2fc40d4c4b5175cd06a9a91d6370

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
68e2b3feafd08549d8065f0d7bdf7428

SHA1
33f40e4b8d55ab73d5697f9a89b96451fd684ec9

SHA256
0034a4b9e1272561a35b942a07d3cf5b6203f2a43b526f7a3f0bb9597b70cb56

SHA512
7c6687f89338b237687c02927df93068e66d684a29ed7726f12fa083f31b9359e63771566e8279d4242e5357e9036d2bd8ecffb839ad6d09270d995e4665935f

Download Submit
C:\Windows\dev4EDB.tmp

Filesize
59KB

MD5
902bb8a161b8ef0610fcfede4ec190e5

SHA1
31277bd740a0ecd64b42cd39cb2a117478b90028

SHA256
2564a4298eb56d3c5b41c8b4105f97df19b46613461b7b143dc053d5490074df

SHA512
627c48607e8fb7f6abd23e69a20e699c673aafa007cbb3460f894db71ac48ecb9a96c03f0b73b765b0eb482a54ec0d5b0965ff3682b631d6c53ec3edd487cdaf

Download Submit
memory/516-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1220-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4372-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads