a805584cc4ccbe7773daa6f46306e0fca96289799c5ad519889627482292b16e

General

Target

319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
Size

72KB
MD5

319bf63a01e8ed25bfde23433818b8a0
SHA1

cc08047619e76da8685e85bee239eb9bb0f7ebd0
SHA256

a805584cc4ccbe7773daa6f46306e0fca96289799c5ad519889627482292b16e
SHA512

b5cd1d4e3b1974d0bfbe9b4fb1fea1d139159619d79ff212312270fc338928393f590d49cc015583567fe894bdf15ab64912d4e92ec242809261bd4a3d61d68d
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4F2G+sxSd/PwKAE9:HQC/yj5JO3Mn2G+nPwKAE9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1880	MSWDM.EXE
2960	MSWDM.EXE
2568	319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE
2544	MSWDM.EXE

Loads dropped DLL 3 IoCs

pid	Process
1880	MSWDM.EXE
1880	MSWDM.EXE
2572	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev8B8.tmp	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev8B8.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1880	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2960	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	28
PID 2004 wrote to memory of 2960	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	28
PID 2004 wrote to memory of 2960	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	28
PID 2004 wrote to memory of 2960	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	28
PID 2004 wrote to memory of 1880	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	29
PID 2004 wrote to memory of 1880	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	29
PID 2004 wrote to memory of 1880	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	29
PID 2004 wrote to memory of 1880	2004	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	29
PID 1880 wrote to memory of 2568	1880	MSWDM.EXE	30
PID 1880 wrote to memory of 2568	1880	MSWDM.EXE	30
PID 1880 wrote to memory of 2568	1880	MSWDM.EXE	30
PID 1880 wrote to memory of 2568	1880	MSWDM.EXE	30
PID 1880 wrote to memory of 2544	1880	MSWDM.EXE	32
PID 1880 wrote to memory of 2544	1880	MSWDM.EXE	32
PID 1880 wrote to memory of 2544	1880	MSWDM.EXE	32
PID 1880 wrote to memory of 2544	1880	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2960
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8B8.tmp!C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8B8.tmp!C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE

Filesize
72KB

MD5
925f25d6090e70c5d3fc909a66e0851f

SHA1
fa3cbde123775dada566209c68d68db35dfa4842

SHA256
b2cacf5bf59665910f97a0c3873361f67cb264784d90ec8eb3986aa1e4c03d54

SHA512
c8a6a2e75491b0aa198cb5ea7ba6046de19a9d64b5bf14c4b76624c1860c6bf8192ef0e56ef416c258abc3e245164c10c803f1a4418c08118a52232ecc09984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
336ffd74e5eb29bc13e4e0f5de0cb57a

SHA1
fb3bab77482267f8880cd329d926a41d397d072d

SHA256
688c0c407e9651d4fb63017475f3ca304c7ff8c0185592c3a1d7d3b660098c79

SHA512
e8e70882eebbb5a602ac68a4a51a15c7d32d083b5c5717981a9b33d358e17411a0fee1294b631f29f0f5cf06e0ad86109198de6114ba364fdaac1e866a049d76

Download Submit
memory/1880-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2004-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2004-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2544-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-27-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2960-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads