6f337d41313544c5dc0262947527f08f002d7976ec260fc3890adacebd481521

General

Target

a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
Size

81KB
MD5

a8cd05b77ba2c53a3ce15fd745fb3440
SHA1

6d3082b60fd19c03d8873cbf8db6b3b7f4178930
SHA256

6f337d41313544c5dc0262947527f08f002d7976ec260fc3890adacebd481521
SHA512

3284bbb4655fd1ce6ea40d83a8c215f8280ec0fcf6df3ab0fe7962133dbebd0afbac5de1d5ad693aa08cff3a0a3df77314e93e5499f8e667af8306cf8a59d277
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FMG+seOBJlZsuHc+fBEo:HQC/yj5JO3MnMG+HOBDau8+fBB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3504	MSWDM.EXE
4068	MSWDM.EXE
2460	A8CD05B77BA2C53A3CE15FD745FB3440_NEIKIANALYTICS.EXE
1444	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEA60.tmp	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
File opened for modification	C:\Windows\devEA60.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4068	MSWDM.EXE
4068	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3504	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	92
PID 3420 wrote to memory of 3504	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	92
PID 3420 wrote to memory of 3504	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	92
PID 3420 wrote to memory of 4068	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	93
PID 3420 wrote to memory of 4068	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	93
PID 3420 wrote to memory of 4068	3420	a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe	93
PID 4068 wrote to memory of 2460	4068	MSWDM.EXE	94
PID 4068 wrote to memory of 2460	4068	MSWDM.EXE	94
PID 4068 wrote to memory of 2460	4068	MSWDM.EXE	94
PID 4068 wrote to memory of 1444	4068	MSWDM.EXE	96
PID 4068 wrote to memory of 1444	4068	MSWDM.EXE	96
PID 4068 wrote to memory of 1444	4068	MSWDM.EXE	96

C:\Users\Admin\AppData\Local\Temp\a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3504
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devEA60.tmp!C:\Users\Admin\AppData\Local\Temp\a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\A8CD05B77BA2C53A3CE15FD745FB3440_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2460
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devEA60.tmp!C:\Users\Admin\AppData\Local\Temp\A8CD05B77BA2C53A3CE15FD745FB3440_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a8cd05b77ba2c53a3ce15fd745fb3440_NeikiAnalytics.exe

Filesize
81KB

MD5
492f13d30bfbca09b39aed30dc7fc195

SHA1
f8e3ea9fafc9fe2b249dc38a9a1698d5af8046f4

SHA256
09ac36935e593285ec40faa9a9d425c9ca3fa9fcd0f4346884b6b7e5a349314e

SHA512
9a785d6f3854ab3cf003f17797d80dc9ff99869cd945316d4681fa8ca5326549010c172f825689db49a910747ba6edf4a97a5a0b4b495da98b32f9de34d6cf43

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
5f8d409983914065297cec4d27496caa

SHA1
8cf39ec61445061b7642d36613de97c12850d821

SHA256
685ff783e760bf7ecffd7f2cf55e6f30d979703b7fa5e1138642c85d9741ed46

SHA512
b83a4763d6dfd579cac7960d623d7a94e0b4b9c5b12a58ba0f2422d71fdee2d97d8a7f163b12f2441273471d26389e885ff944ab3f27b78e8af36e6f8beb853c

Download Submit
C:\Windows\devEA60.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/1444-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1444-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3504-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads