600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955

General

Target

080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
Size

25KB
MD5

080d6cb9a1b7d17f5047d64a739a4670
SHA1

ec817d6a722ed59c550b16b7099f46174352982f
SHA256

600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
SHA512

614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121
SSDEEP

768:UBFE+nTSdCrp9GcTkGggzc+CMw1MJt/D:A7nTSQwcTAgQrMw1MHD

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2572 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

wuaucldt.exewuaucldt.exe

pid process

2992 wuaucldt.exe
3000 wuaucldt.exe

pid	process
2572	cmd.exe

pid	process
2992	wuaucldt.exe
3000	wuaucldt.exe

Loads dropped DLL 4 IoCs

Processes:

080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exewuaucldt.exe

pid	process
2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
2992	wuaucldt.exe
2992	wuaucldt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wuaucldt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe"	wuaucldt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe"	wuaucldt.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exewuaucldt.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
File created	\??\c:\windows\SysWOW64\wuaucldt.exe	wuaucldt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wuaucldt.exe

description pid process target process

PID 3000 set thread context of 1916 3000 wuaucldt.exe svchost.exe

description	pid	process	target process
PID 3000 set thread context of 1916	3000	wuaucldt.exe	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exewuaucldt.exewuaucldt.exe

description	pid	process	target process
PID 2928 wrote to memory of 2992	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	wuaucldt.exe
PID 2928 wrote to memory of 2992	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	wuaucldt.exe
PID 2928 wrote to memory of 2992	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	wuaucldt.exe
PID 2928 wrote to memory of 2992	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	wuaucldt.exe
PID 2992 wrote to memory of 3000	2992	wuaucldt.exe	wuaucldt.exe
PID 2992 wrote to memory of 3000	2992	wuaucldt.exe	wuaucldt.exe
PID 2992 wrote to memory of 3000	2992	wuaucldt.exe	wuaucldt.exe
PID 2992 wrote to memory of 3000	2992	wuaucldt.exe	wuaucldt.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 3000 wrote to memory of 1916	3000	wuaucldt.exe	svchost.exe
PID 2928 wrote to memory of 2572	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	cmd.exe
PID 2928 wrote to memory of 2572	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	cmd.exe
PID 2928 wrote to memory of 2572	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	cmd.exe
PID 2928 wrote to memory of 2572	2928	080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe	cmd.exe
PID 2992 wrote to memory of 2688	2992	wuaucldt.exe	cmd.exe
PID 2992 wrote to memory of 2688	2992	wuaucldt.exe	cmd.exe
PID 2992 wrote to memory of 2688	2992	wuaucldt.exe	cmd.exe
PID 2992 wrote to memory of 2688	2992	wuaucldt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928

\??\c:\windows\SysWOW64\wuaucldt.exe
c:\windows\system32\wuaucldt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2992

\??\c:\users\admin\wuaucldt.exe
c:\users\admin\wuaucldt.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Writes to the Master Boot Record (MBR)
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe
3⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\080D6C~1.EXE
2⤵
- Deletes itself
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\wuaucldt.exe

Filesize
25KB

MD5
080d6cb9a1b7d17f5047d64a739a4670

SHA1
ec817d6a722ed59c550b16b7099f46174352982f

SHA256
600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955

SHA512
614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121

Download Submit
memory/1916-22-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1916-25-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1916-31-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1916-30-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1916-27-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1916-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1916-32-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2928-0-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download
memory/3000-20-0x0000000070000000-0x000000007000B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads