8958cfdc3a18228e5a401dcf539796cec2c3bad1569b79f11f98abe5a69e85a2

General

Target

3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
Size

84KB
MD5

3c88b0a21133f8ce6b720f614df73a10
SHA1

14bcf5dc620b9f5e363453b20a7cc264055c6239
SHA256

8958cfdc3a18228e5a401dcf539796cec2c3bad1569b79f11f98abe5a69e85a2
SHA512

7b11533b0a0167de72359a9f7bb5cea780c5e805e174e8374c999b781325a05953b24017d11ae129253a39d4573374af817974ee68c01bbd9c020b1bdf471c8b
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FEgG+sxriw+d9bHrkT5gUHz7FxtM:HQC/yj5JO3MnEgG+2rBkfkT5xHz2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2164	MSWDM.EXE
1968	MSWDM.EXE
2588	3C88B0A21133F8CE6B720F614DF73A10_NEIKIANALYTICS.EXE
2636	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2164	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1A25.tmp	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev1A25.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2164	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1968	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1968	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1968	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 1968	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 2164	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 2164	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 2164	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 2164	2320	3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe	29
PID 2164 wrote to memory of 2588	2164	MSWDM.EXE	30
PID 2164 wrote to memory of 2588	2164	MSWDM.EXE	30
PID 2164 wrote to memory of 2588	2164	MSWDM.EXE	30
PID 2164 wrote to memory of 2588	2164	MSWDM.EXE	30
PID 2164 wrote to memory of 2636	2164	MSWDM.EXE	31
PID 2164 wrote to memory of 2636	2164	MSWDM.EXE	31
PID 2164 wrote to memory of 2636	2164	MSWDM.EXE	31
PID 2164 wrote to memory of 2636	2164	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2320
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1968
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1A25.tmp!C:\Users\Admin\AppData\Local\Temp\3c88b0a21133f8ce6b720f614df73a10_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\3C88B0A21133F8CE6B720F614DF73A10_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1A25.tmp!C:\Users\Admin\AppData\Local\Temp\3C88B0A21133F8CE6B720F614DF73A10_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3C88B0A21133F8CE6B720F614DF73A10_NEIKIANALYTICS.EXE

Filesize
84KB

MD5
c1220bb10f7f85c9c5dbfcfe90cfc39c

SHA1
b52836f7aad3a8be8aa5eb9040b15d1a26e0f784

SHA256
7a77339eebcc66a964dcc1d401364f9c9476cf01395d4f0f316147d57dff612f

SHA512
681319657f7abfc0fa31cef8fe738c3b440def606e64fc0131554f6df221d5f76731f896e4de897eb24cfa3a0c08284692ddefd9f3b53a43478acbbc640e5e68

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
f4871db701f2f349a7f36900e00b121b

SHA1
082a2eb8046374e7b2640476dbf06d930d6fa7a6

SHA256
637b124aaf67bdbc8af370c7c157ea6cb2b4aabb62305c266287ca775561ed5c

SHA512
c9b437f1136036a430fca4de57f0f74244e299c118759a502e0df1be25de02a5cdad897a7d3181cb940f65b157f526935ed13cc1305dc24759fe57b9e58df40b

Download Submit
C:\Windows\dev1A25.tmp

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/1968-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2164-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-8-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2320-13-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2320-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-34-0x00000000002D0000-0x00000000002EB000-memory.dmp

Filesize
108KB

Download
memory/2636-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads