9e105f3ee01edcfd5c174761879f2ddc5fc5430a8fcedc65123b1a30cbe5438f

General

Target

410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Size

538KB
MD5

410c78fc99472f90cfc29bcc59523410
SHA1

e77ef297adc80c66fb22e81aa07efb2e3800fd4f
SHA256

9e105f3ee01edcfd5c174761879f2ddc5fc5430a8fcedc65123b1a30cbe5438f
SHA512

9ed3668ea47dd8b4b09711726fa15f503883e9aa81efec21f83048129bee725010668188d7c508dc6b04eb139cf71976930bd6370d00aae216f754182b26014a
SSDEEP

12288:wlbk+h1gL5pRTcAkS/3hzN8qE43fm78VF:Wbk+w5jcAkSYqyEF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3056	MSWDM.EXE
1924	MSWDM.EXE
3000	410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE
1200	Process not Found
2528	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
3056	MSWDM.EXE
3020	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1FD0.tmp	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3056	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1924	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1924	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1924	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 1924	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 3056	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 3056	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 3056	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	29
PID 2956 wrote to memory of 3056	2956	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	29
PID 3056 wrote to memory of 3000	3056	MSWDM.EXE	30
PID 3056 wrote to memory of 3000	3056	MSWDM.EXE	30
PID 3056 wrote to memory of 3000	3056	MSWDM.EXE	30
PID 3056 wrote to memory of 3000	3056	MSWDM.EXE	30
PID 3056 wrote to memory of 2528	3056	MSWDM.EXE	32
PID 3056 wrote to memory of 2528	3056	MSWDM.EXE	32
PID 3056 wrote to memory of 2528	3056	MSWDM.EXE	32
PID 3056 wrote to memory of 2528	3056	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1924
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1FD0.tmp!C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1FD0.tmp!C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dfebdec58d9656407cf2802dc1090113

SHA1
002a06590638c2be096e62a638b6747deecc55fe

SHA256
e311929da12614a80576548e58a25156d4064c815cde5dab5be1d0cd8b74e5f0

SHA512
069e725ed9fa3a2a918dd440fa84ced1c96859e3afba12684c2c35fc517cfb95ea5a075328a0f1e9b08f77deedf7217007ac4760a8d492c0c5194a70013ddc1c

Download Submit
C:\Windows\dev1FD0.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1924-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1924-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-13-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2956-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2956-33-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/3056-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads