3c041a86155c05c13d7e9a0f1e0323480353261bd18465e485511fb1de5f5b73

General

Target

2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe
Size

505KB
MD5

2312bf216cc4033599a3d7098f9289a0
SHA1

fd0c74506ec6510fbdecafc84480648512bc251b
SHA256

3c041a86155c05c13d7e9a0f1e0323480353261bd18465e485511fb1de5f5b73
SHA512

2b542efe9aad2689776056753a33df5f0f2463e174a958b8e93ff6f9dfd7f5de42141d4a3404d4a924d568b33ddb45d4c36da6208f2e73b902db0475e27e5c8e
SSDEEP

12288:wlbw+b1gL5pRTcAkS/3hzN8qE43fm78VG:Wbw+G5jcAkSYqyEG

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
448	MSWDM.EXE
1224	MSWDM.EXE
3452	2312BF216CC4033599A3D7098F9289A0_NEIKIANALYTICS.EXE
2524	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev46CD.tmp	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev46CD.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1224	MSWDM.EXE
1224	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 448	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	82
PID 528 wrote to memory of 448	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	82
PID 528 wrote to memory of 448	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	82
PID 528 wrote to memory of 1224	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	83
PID 528 wrote to memory of 1224	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	83
PID 528 wrote to memory of 1224	528	2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe	83
PID 1224 wrote to memory of 3452	1224	MSWDM.EXE	84
PID 1224 wrote to memory of 3452	1224	MSWDM.EXE	84
PID 1224 wrote to memory of 2524	1224	MSWDM.EXE	86
PID 1224 wrote to memory of 2524	1224	MSWDM.EXE	86
PID 1224 wrote to memory of 2524	1224	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:528
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:448
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev46CD.tmp!C:\Users\Admin\AppData\Local\Temp\2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\2312BF216CC4033599A3D7098F9289A0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev46CD.tmp!C:\Users\Admin\AppData\Local\Temp\2312BF216CC4033599A3D7098F9289A0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2312bf216cc4033599a3d7098f9289a0_NeikiAnalytics.exe

Filesize
505KB

MD5
2b3b07f7c155cca8fa27fe5180276580

SHA1
d24dc0a5afcc99ea601de7014db5b3f9d2289b28

SHA256
6abe26335eadad0973ab5d27a97993851ef6a06a2432deee60849571fbd03b3d

SHA512
f1239635c86e2476339bb86fafbcd78577c9ed5f7f2319bc9457d673814a23223a4d9afefc2d9692db15d9c771e52163ea524732d5d00413b3d498c85319d26a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
C:\Windows\dev46CD.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/448-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/528-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/528-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1224-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads