6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2

General

Target

4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Size

107KB
MD5

4001d60beeb865ab828fc65fd7ca9000
SHA1

91e4543d9ecda45883766283308efb6d7247fa5a
SHA256

6d8ca89c4aba982f2cfe02216a11697446eeaad5e5a6fabe10648f73b16b8ce2
SHA512

54575d192ca10bce1e53e7e46e923a93702e3e4ccf8072bd182809f681efd7ba5d68e192dd3a865d8f3f9f47acf054aa4ad0187cc6fcd457334c40e54a69ae9a
SSDEEP

3072:HQC/yj5JO3MnBG+pLK4ddJMY86ipmns6W:wlj7cMnw+NKCJMYE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4292	MSWDM.EXE
772	MSWDM.EXE
2952	4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
4500	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev348D.tmp	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev348D.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
772	MSWDM.EXE
772	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4292	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	81
PID 4624 wrote to memory of 4292	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	81
PID 4624 wrote to memory of 4292	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	81
PID 4624 wrote to memory of 772	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	82
PID 4624 wrote to memory of 772	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	82
PID 4624 wrote to memory of 772	4624	4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe	82
PID 772 wrote to memory of 2952	772	MSWDM.EXE	83
PID 772 wrote to memory of 2952	772	MSWDM.EXE	83
PID 772 wrote to memory of 4500	772	MSWDM.EXE	84
PID 772 wrote to memory of 4500	772	MSWDM.EXE	84
PID 772 wrote to memory of 4500	772	MSWDM.EXE	84

C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4624
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4292
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev348D.tmp!C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev348D.tmp!C:\Users\Admin\AppData\Local\Temp\4001D60BEEB865AB828FC65FD7CA9000_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4001d60beeb865ab828fc65fd7ca9000_NeikiAnalytics.exe

Filesize
107KB

MD5
b4efe40b13cebdc31dc204f3b90ffbb3

SHA1
a2c5359df7390891061592e3a92f91a1c8101aad

SHA256
e98db6c2e1564227e5f6622aa9313c155d35bca8f95d80adeb6c68e0f53b01e0

SHA512
b924625935e47f902ce079c70418f09e6f4e89dd34ad79d70fab14dbe5686e4d58ebc8f002d47c932dbee82058b88b547513f9283c6039cf46472b71c408c7b2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2ad0ffa15d43c4e4eed93fed2a0c7cf6

SHA1
0e133283f17fb450252c8377f88f9e02d765279b

SHA256
9323e5bcad6008100e471a8f2ee36aa0ad44d92a4ccb013b99cb2792eed367af

SHA512
026d9f83368f2d46b10525941ccbee97916ac0f0fe8c8a277d879c7a77756590ef85781b1763ba810e254283a6d7e6bbd8ce1048b8927c06965f0d60a96727bc

Download Submit
C:\Windows\dev348D.tmp

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
memory/772-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/772-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4292-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4292-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4500-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4624-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4624-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads