81e1fc3019e7d37096977ea66e03dd675132b66c48c740294af3d6bba278d61b

General

Target

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
Size

2.2MB
MD5

728c0520e9525879c09caabd0dbe0c00
SHA1

279903e6718f3659adac1f103028f615e2575e21
SHA256

81e1fc3019e7d37096977ea66e03dd675132b66c48c740294af3d6bba278d61b
SHA512

88f3ef7975eac94867486fc609890e8bd7c37939e331163f2b6c90cd78f0890bae44a7463ab2604613fd45947bd56ff1b2aa7649036a1cd4bbfb582237901fbc
SSDEEP

49152:Wb3+2CbRquA/m2yL5zbfFiV+XenmE3/z7:Wb3+7oq2Vjnm8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXEMSWDM.EXE

pid process

2924 MSWDM.EXE
3912 MSWDM.EXE
752 728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
3804 MSWDM.EXE

pid	process
2924	MSWDM.EXE
3912	MSWDM.EXE
752	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
3804	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev40C2.tmp	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev40C2.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

3912 MSWDM.EXE
3912 MSWDM.EXE

pid	process
3912	MSWDM.EXE
3912	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exeMSWDM.EXE

description	pid	process	target process
PID 3572 wrote to memory of 2924	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3572 wrote to memory of 2924	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3572 wrote to memory of 2924	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3572 wrote to memory of 3912	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3572 wrote to memory of 3912	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3572 wrote to memory of 3912	3572	728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe	MSWDM.EXE
PID 3912 wrote to memory of 752	3912	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 3912 wrote to memory of 752	3912	MSWDM.EXE	728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
PID 3912 wrote to memory of 3804	3912	MSWDM.EXE	MSWDM.EXE
PID 3912 wrote to memory of 3804	3912	MSWDM.EXE	MSWDM.EXE
PID 3912 wrote to memory of 3804	3912	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3572

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2924

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev40C2.tmp!C:\Users\Admin\AppData\Local\Temp\728c0520e9525879c09caabd0dbe0c00_NeikiAnalytics.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE
3⤵
- Executes dropped EXE
PID:752

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev40C2.tmp!C:\Users\Admin\AppData\Local\Temp\728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\728C0520E9525879C09CAABD0DBE0C00_NEIKIANALYTICS.EXE

Filesize
2.2MB

MD5
6c20c07b48011b0e775e84052fa61d85

SHA1
ac01bb7b1b574df5b698cfcf42d497f77717b398

SHA256
efabab26bcaaac7e3f460338802b8f7b6739cb8880827e570522767f883bf6cc

SHA512
decde33f23ab2c7c79cb5b8382edd20eb6d1cbdac16a7ad307c4d16be45529900addeb58853257f69efe62cd9791e77d5c5c346868e8ac2bb20a910388aaf820

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
b6ed302a7f427fcdaf187c6c3e94c910

SHA1
274b1bf1a66d5ce2f0dda87e112760537f91765e

SHA256
6620c0d624e5d6c08f754d597f69d69b743e618806054170f0df725f5be169ba

SHA512
482b94f41c5c1a2a18cfbfb3053cc2b36b7364086178d5f12bfb5c3c27957021ae016ca699ec0ab3003ce2d5365d26ba9e2244001cfbf716f6590a402b7d77b7

Download Submit
C:\Windows\dev40C2.tmp

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
memory/2924-25-0x0000000000840000-0x0000000000846000-memory.dmp

Filesize
24KB

Download
memory/2924-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3572-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3572-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3804-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3912-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3912-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads