6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2

General

Target

4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Size

107KB
MD5

4001d60beeb865ab828fc65fd7ca9000
SHA1

91e4543d9ecda45883766283308efb6d7247fa5a
SHA256

6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2
SHA512

54575d192ca10bce1e53e7e46e923a93702e3e4ccf8072bd182809f681efd7ba5d68e192dd3a865d8f3f9f47acf054aa4ad0187cc6fcd457334c40e54a69ae9a
SSDEEP

3072:HQC/yj5JO3MnBG+pLK4ddJMY86ipmns6W:wlj7cMnw+NKCJMYE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2980	MSWDM.EXE
2668	MSWDM.EXE
2648	4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
2528	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2980	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev8D51.tmp	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev8D51.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2668	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2668	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2668	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2668	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	28
PID 1284 wrote to memory of 2980	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 2980	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 2980	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	29
PID 1284 wrote to memory of 2980	1284	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	29
PID 2980 wrote to memory of 2648	2980	MSWDM.EXE	30
PID 2980 wrote to memory of 2648	2980	MSWDM.EXE	30
PID 2980 wrote to memory of 2648	2980	MSWDM.EXE	30
PID 2980 wrote to memory of 2648	2980	MSWDM.EXE	30
PID 2980 wrote to memory of 2528	2980	MSWDM.EXE	31
PID 2980 wrote to memory of 2528	2980	MSWDM.EXE	31
PID 2980 wrote to memory of 2528	2980	MSWDM.EXE	31
PID 2980 wrote to memory of 2528	2980	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2668
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8D51.tmp!C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8D51.tmp!C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE

Filesize
107KB

MD5
69b58884d5d412c305cd24e22b7c7c18

SHA1
31731887f2b8c64ca2bd06194cf65429697ad1ae

SHA256
ae68678de3738d0c1380c03270f66acdd24f2b7a410a3dfddb9c1d38d13012ea

SHA512
c5f3cf9763f538166ccbd72320aecc2f3226c4dc7d446c44d1e48612dfbc177eaa4ff96cbd09866673cbbab78adc9cebccbfa24adbe519b0e3fc33427f0149eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
memory/1284-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1284-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-28-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2528-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-22-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads