53db91ad8c88f48646ed23a31d2d9d2a15c28f7dd4985e1fab22524fcecfeca3

General

Target

46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
Size

82KB
MD5

46aac4ba1410576a3f61dac2b2c1c710
SHA1

44921c323bcdc29f5f78debc225cf36965f27882
SHA256

53db91ad8c88f48646ed23a31d2d9d2a15c28f7dd4985e1fab22524fcecfeca3
SHA512

c4043f335263d575444f2ff160741125fa0a04832d285eca43492ff086c44a0a706a5602e6d7ac97888e262b58802d60aaa3d557938dcf38a07b038c6cafd547
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FBG+ss0Ao/VZl8WCfsEK:HQC/yj5JO3MnBG+joN5CfsL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2420	MSWDM.EXE
1964	MSWDM.EXE
2668	46AAC4BA1410576A3F61DAC2B2C1C710_NEIKIANALYTICS.EXE
2672	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1964	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1EB7.tmp	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1EB7.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2420	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2420	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2420	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 2420	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	28
PID 2436 wrote to memory of 1964	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1964	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1964	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	29
PID 2436 wrote to memory of 1964	2436	46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2668	1964	MSWDM.EXE	30
PID 1964 wrote to memory of 2668	1964	MSWDM.EXE	30
PID 1964 wrote to memory of 2668	1964	MSWDM.EXE	30
PID 1964 wrote to memory of 2668	1964	MSWDM.EXE	30
PID 1964 wrote to memory of 2672	1964	MSWDM.EXE	32
PID 1964 wrote to memory of 2672	1964	MSWDM.EXE	32
PID 1964 wrote to memory of 2672	1964	MSWDM.EXE	32
PID 1964 wrote to memory of 2672	1964	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2436
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2420
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1EB7.tmp!C:\Users\Admin\AppData\Local\Temp\46aac4ba1410576a3f61dac2b2c1c710_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\46AAC4BA1410576A3F61DAC2B2C1C710_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1EB7.tmp!C:\Users\Admin\AppData\Local\Temp\46AAC4BA1410576A3F61DAC2B2C1C710_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46AAC4BA1410576A3F61DAC2B2C1C710_NEIKIANALYTICS.EXE

Filesize
82KB

MD5
f015d0fdf70b976db84d3a40414d90f6

SHA1
cb2ab446f525118907578205de7b42ffe1c1a524

SHA256
dab4469318d3ee1304802c3815ca95762e2baf6118f43bf32428ce2657215239

SHA512
1d7557fe8f1b9215212758dae93b8c10cdd32f496e67446d0ee3713ea43044f3bb193abd7767687bbc77fd14d6301d0c5ec73ab39adfe1fa078e009069bbbdbc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
C:\Windows\dev1EB7.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/1964-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-24-0x00000000001E0000-0x00000000001FB000-memory.dmp

Filesize
108KB

Download
memory/1964-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2436-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2436-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads