9e105f3ee01edcfd5c174761879f2ddc5fc5430a8fcedc65123b1a30cbe5438f

General

Target

410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Size

538KB
MD5

410c78fc99472f90cfc29bcc59523410
SHA1

e77ef297adc80c66fb22e81aa07efb2e3800fd4f
SHA256

9e105f3ee01edcfd5c174761879f2ddc5fc5430a8fcedc65123b1a30cbe5438f
SHA512

9ed3668ea47dd8b4b09711726fa15f503883e9aa81efec21f83048129bee725010668188d7c508dc6b04eb139cf71976930bd6370d00aae216f754182b26014a
SSDEEP

12288:wlbk+h1gL5pRTcAkS/3hzN8qE43fm78VF:Wbk+w5jcAkSYqyEF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3560	MSWDM.EXE
2124	MSWDM.EXE
1404	410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE
4500	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4A38.tmp	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev4A38.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	MSWDM.EXE
2124	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 3560	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	85
PID 3268 wrote to memory of 3560	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	85
PID 3268 wrote to memory of 3560	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	85
PID 3268 wrote to memory of 2124	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	86
PID 3268 wrote to memory of 2124	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	86
PID 3268 wrote to memory of 2124	3268	410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe	86
PID 2124 wrote to memory of 1404	2124	MSWDM.EXE	87
PID 2124 wrote to memory of 1404	2124	MSWDM.EXE	87
PID 2124 wrote to memory of 4500	2124	MSWDM.EXE	89
PID 2124 wrote to memory of 4500	2124	MSWDM.EXE	89
PID 2124 wrote to memory of 4500	2124	MSWDM.EXE	89

C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3268
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3560
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1404
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\410C78FC99472F90CFC29BCC59523410_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\410c78fc99472f90cfc29bcc59523410_NeikiAnalytics.exe

Filesize
538KB

MD5
82593f9fda2222fd516cbc59a2ed54f3

SHA1
b4d4d7f537b4d1e4b37c641701dec1fa6933406a

SHA256
eb74492891a203354838c3ae0440687d488e86d8a6e270c77160b9142735e4ac

SHA512
4a01ca5feca4ddebc73cdac2a448b8655d0a22e650b6c00a7e31dfcd6451b53e1f6ea8842f4916d546ed13391aed17efeb315bca2222b3c9ca975cd417e42e49

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dfebdec58d9656407cf2802dc1090113

SHA1
002a06590638c2be096e62a638b6747deecc55fe

SHA256
e311929da12614a80576548e58a25156d4064c815cde5dab5be1d0cd8b74e5f0

SHA512
069e725ed9fa3a2a918dd440fa84ced1c96859e3afba12684c2c35fc517cfb95ea5a075328a0f1e9b08f77deedf7217007ac4760a8d492c0c5194a70013ddc1c

Download Submit
C:\Windows\dev4A38.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2124-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2124-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3268-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3268-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3560-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads