81e1fc3019e7d37096977ea66e03dd675132b66c48c740294af3d6bba278d61b

General

Target

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
Size

2.2MB
MD5

728c0520e9525879c09caabd0dbe0c00
SHA1

279903e6718f3659adac1f103028f615e2575e21
SHA256

81e1fc3019e7d37096977ea66e03dd675132b66c48c740294af3d6bba278d61b
SHA512

88f3ef7975eac94867486fc609890e8bd7c37939e331163f2b6c90cd78f0890bae44a7463ab2604613fd45947bd56ff1b2aa7649036a1cd4bbfb582237901fbc
SSDEEP

49152:Wb3+2CbRquA/m2yL5zbfFiV+XenmE3/z7:Wb3+7oq2Vjnm8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2284 MSWDM.EXE
1612 MSWDM.EXE
2672 728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
2688 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

2284 MSWDM.EXE
2668

pid	process
2284	MSWDM.EXE
1612	MSWDM.EXE
2672	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
2688	MSWDM.EXE

pid	process
2284	MSWDM.EXE
2668

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

Processes:

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2424.tmp	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2284 MSWDM.EXE

pid	process
2284	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 620 wrote to memory of 1612	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 1612	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 1612	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 1612	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 2284	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 2284	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 2284	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 620 wrote to memory of 2284	620	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 2284 wrote to memory of 2672	2284	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 2284 wrote to memory of 2672	2284	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 2284 wrote to memory of 2672	2284	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 2284 wrote to memory of 2672	2284	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 2284 wrote to memory of 2688	2284	MSWDM.EXE	MSWDM.EXE
PID 2284 wrote to memory of 2688	2284	MSWDM.EXE	MSWDM.EXE
PID 2284 wrote to memory of 2688	2284	MSWDM.EXE	MSWDM.EXE
PID 2284 wrote to memory of 2688	2284	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:620

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1612

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev2424.tmp!C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:2672

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev2424.tmp!C:\Users\Admin\AppData\Local\Temp\728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
b6ed302a7f427fcdaf187c6c3e94c910

SHA1
274b1bf1a66d5ce2f0dda87e112760537f91765e

SHA256
6620c0d624e5d6c08f754d597f69d69b743e618806054170f0df725f5be169ba

SHA512
482b94f41c5c1a2a18cfbfb3053cc2b36b7364086178d5f12bfb5c3c27957021ae016ca699ec0ab3003ce2d5365d26ba9e2244001cfbf716f6590a402b7d77b7

Download Submit
\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
memory/620-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/620-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2284-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2688-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads