8971323d7d380d7becdcd829346b72dff0a6b3b91e9002413f3b1c18067a3463

General

Target

5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
Size

497KB
MD5

5f3c3c130fb8f5de4c333d9596d78840
SHA1

8473ed5547201184d134eaad88b7e54e08bddf39
SHA256

8971323d7d380d7becdcd829346b72dff0a6b3b91e9002413f3b1c18067a3463
SHA512

324644d144169db5f492f12aa6788212944d9f74afc506fe662813d3b18b09f332759991b919770d47d9574c68a38faa934c33cccf4560030ef2fb58f1052e7b
SSDEEP

6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayl:+D1gL5pRTcAkS/3hzN8qE43fm78Vh

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2300 MSWDM.EXE
2472 MSWDM.EXE
2596 5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
2644 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

2472 MSWDM.EXE
2536

pid	process
2300	MSWDM.EXE
2472	MSWDM.EXE
2596	5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
2644	MSWDM.EXE

pid	process
2472	MSWDM.EXE
2536

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2276-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral1/memory/2276-14-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2300-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2472-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2644-30-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE	upx
behavioral1/memory/2472-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2300-34-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
File opened for modification	C:\Windows\devC6F.tmp	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
File opened for modification	C:\Windows\devC6F.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2472 MSWDM.EXE

pid	process
2472	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 2276 wrote to memory of 2300	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2300	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2300	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2300	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2472	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2472	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2472	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2276 wrote to memory of 2472	2276	5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe	MSWDM.EXE
PID 2472 wrote to memory of 2596	2472	MSWDM.EXE	5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
PID 2472 wrote to memory of 2596	2472	MSWDM.EXE	5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
PID 2472 wrote to memory of 2596	2472	MSWDM.EXE	5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
PID 2472 wrote to memory of 2596	2472	MSWDM.EXE	5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
PID 2472 wrote to memory of 2644	2472	MSWDM.EXE	MSWDM.EXE
PID 2472 wrote to memory of 2644	2472	MSWDM.EXE	MSWDM.EXE
PID 2472 wrote to memory of 2644	2472	MSWDM.EXE	MSWDM.EXE
PID 2472 wrote to memory of 2644	2472	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2276

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2300

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devC6F.tmp!C:\Users\Admin\AppData\Local\Temp\5f3c3c130fb8f5de4c333d9596d78840_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:2596

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devC6F.tmp!C:\Users\Admin\AppData\Local\Temp\5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F3C3C130FB8F5DE4C333D9596D78840_NEIKIANALYTICS.EXE

Filesize
497KB

MD5
bb923be1d6f9c3202b2ee1af02529132

SHA1
00cd56a3f298e6e2b70d480f47d787e8de31dabb

SHA256
d7afcd9a2c932389e76a25b1226ad2af75b91c2da8f7fa2e9cae8fdc22325d47

SHA512
60bc0f3bc942092698534a3aa030ba4016680685810d45967fa32a1e834047d4391b7c2dfa576ee34be67a0c9d8a25b9b30fe4d778d7041c1295e49347a2ebe3

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\devC6F.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2276-6-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/2276-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2300-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2300-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2472-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2472-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads