80fe77e1b3c1f63ea767b6570cd004871fcd65888c9b20ef1cf2bb1dd8b2f962

General

Target

3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
Size

139KB
MD5

3056a5017b3cd30eea84b9bea96ba560
SHA1

82c62917ef34a867dad11003657eef67e783e5f9
SHA256

80fe77e1b3c1f63ea767b6570cd004871fcd65888c9b20ef1cf2bb1dd8b2f962
SHA512

b3f6b60fb6cf8ad5989c0d0506d371cc23f4dcf6f021fb181aa602bd93e8584ce9899427c049c1b71d6c80c4b00aac3b6fdbd7b6127bfb1456154517c984e5fc
SSDEEP

3072:HQC/yj5JO3MnyG+Hu54Fx4xE8YLK4ddJMY86ipmns6P:wlj7cMnr+OEXjKCJMYN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1704	MSWDM.EXE
3020	MSWDM.EXE
3064	3056A5017B3CD30EEA84B9BEA96BA560_NEIKIANALYTICS.EXE
2720	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
3020	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev167D.tmp	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev167D.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3020	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1704	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 1704	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 1704	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 1704	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	28
PID 2848 wrote to memory of 3020	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	29
PID 2848 wrote to memory of 3020	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	29
PID 2848 wrote to memory of 3020	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	29
PID 2848 wrote to memory of 3020	2848	3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe	29
PID 3020 wrote to memory of 3064	3020	MSWDM.EXE	30
PID 3020 wrote to memory of 3064	3020	MSWDM.EXE	30
PID 3020 wrote to memory of 3064	3020	MSWDM.EXE	30
PID 3020 wrote to memory of 3064	3020	MSWDM.EXE	30
PID 3020 wrote to memory of 2720	3020	MSWDM.EXE	31
PID 3020 wrote to memory of 2720	3020	MSWDM.EXE	31
PID 3020 wrote to memory of 2720	3020	MSWDM.EXE	31
PID 3020 wrote to memory of 2720	3020	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1704
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev167D.tmp!C:\Users\Admin\AppData\Local\Temp\3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\3056A5017B3CD30EEA84B9BEA96BA560_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3064
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev167D.tmp!C:\Users\Admin\AppData\Local\Temp\3056A5017B3CD30EEA84B9BEA96BA560_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3056A5017B3CD30EEA84B9BEA96BA560_NEIKIANALYTICS.EXE

Filesize
139KB

MD5
8940cb86cba2cde101ea08565712e464

SHA1
cd439c09fe9694a8770ef17494edad95c49396b6

SHA256
14d8038371f3a6d0c6b27c8089f17a63dbf9eda495fc3c67c4726461f523154b

SHA512
9d98c4a282357ddb4a531a6bfdfbcaa822cf5629394f080a0aa3dc40b16c624a0cf0f7eb0d83baeb8fe179f577d91f819a941e72ad32bdbbc58cb9e6a3e6ced5

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
50ac91f3b660f098e3e74d8a4adc17bf

SHA1
ea3351008ef646fe6ad107aad472e325aa42681e

SHA256
d2eae58d3a1896f4e65fcb8a45137a22230d871038c3eb6aefaa852ea251cd41

SHA512
75822af757a1970d378a791428fec306130efb96a6750967ee2ea0f89e2dc484315264c11c988827906cea2bfbb78df1e201b40b19ec90e87d7a55579127003a

Download Submit
\Users\Admin\AppData\Local\Temp\3056a5017b3cd30eea84b9bea96ba560_NeikiAnalytics.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
memory/1704-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1704-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2720-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3020-22-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads