a805584cc4ccbe7773daa6f46306e0fca96289799c5ad519889627482292b16e

General

Target

319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
Size

72KB
MD5

319bf63a01e8ed25bfde23433818b8a0
SHA1

cc08047619e76da8685e85bee239eb9bb0f7ebd0
SHA256

a805584cc4ccbe7773daa6f46306e0fca96289799c5ad519889627482292b16e
SHA512

b5cd1d4e3b1974d0bfbe9b4fb1fea1d139159619d79ff212312270fc338928393f590d49cc015583567fe894bdf15ab64912d4e92ec242809261bd4a3d61d68d
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4F2G+sxSd/PwKAE9:HQC/yj5JO3Mn2G+nPwKAE9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4988	MSWDM.EXE
4604	MSWDM.EXE
3560	319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE
2944	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev594B.tmp	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev594B.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4604	MSWDM.EXE
4604	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4988	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	83
PID 216 wrote to memory of 4988	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	83
PID 216 wrote to memory of 4988	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	83
PID 216 wrote to memory of 4604	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	84
PID 216 wrote to memory of 4604	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	84
PID 216 wrote to memory of 4604	216	319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe	84
PID 4604 wrote to memory of 3560	4604	MSWDM.EXE	85
PID 4604 wrote to memory of 3560	4604	MSWDM.EXE	85
PID 4604 wrote to memory of 2944	4604	MSWDM.EXE	87
PID 4604 wrote to memory of 2944	4604	MSWDM.EXE	87
PID 4604 wrote to memory of 2944	4604	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:216
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4988
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev594B.tmp!C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3560
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev594B.tmp!C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\319BF63A01E8ED25BFDE23433818B8A0_NEIKIANALYTICS.EXE

Filesize
72KB

MD5
4888a10b9cdd289c6cdd4218588aba12

SHA1
e2ce9530c1df87f58f1ddae69bdd308ed6caa92d

SHA256
34b2d5a20185e5ab23bd79afe9663510e1369cf71fe2b752d0c9e643b515af61

SHA512
2763a3993e625acb2e680f9d1e5a887965aa7dc762c53d903ecb638d9c437954122214e2fa59abebe1d26d567540781d212b9c82732f2c0bd2a41c83b70788b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\319bf63a01e8ed25bfde23433818b8a0_NeikiAnalytics.exe

Filesize
25KB

MD5
abbd49c180a2f8703f6306d6fa731fdc

SHA1
d63f4bfe7f74936b2fbace803e3da6103fbf6586

SHA256
5f411c0bd9ed9a42b0f07ed568c7d0cf358a83063b225a1f8f7da3296dde90f1

SHA512
290dd984acc451b778f3db8c510bae7aec1d9547c3ad0a1829df731c136e4ecc9a37dc6a786cf8f1ecc4d14339aed1288af25055f450f6f953138c8d4d5c36e9

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
336ffd74e5eb29bc13e4e0f5de0cb57a

SHA1
fb3bab77482267f8880cd329d926a41d397d072d

SHA256
688c0c407e9651d4fb63017475f3ca304c7ff8c0185592c3a1d7d3b660098c79

SHA512
e8e70882eebbb5a602ac68a4a51a15c7d32d083b5c5717981a9b33d358e17411a0fee1294b631f29f0f5cf06e0ad86109198de6114ba364fdaac1e866a049d76

Download Submit
memory/216-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/216-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2944-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3560-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4604-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4604-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads