62d660c53b5a1cbcd0f26522a72560b636e72504be70be1807e0f7bf851a5e6a

General

Target

085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Size

497KB
MD5

085308cca9a84765b02ec5b603f015f0
SHA1

d6c7a285898e0127f065cbf23dffefa55d013cb2
SHA256

62d660c53b5a1cbcd0f26522a72560b636e72504be70be1807e0f7bf851a5e6a
SHA512

c1c820d791e26ba4d331da3d4db392c46b1dff3599d0aedabca91b0205d4257c3e05d98c507b4b502bcf3eec6added48e041dc45af49c390d224003bd4a85967
SSDEEP

6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1faym:+D1gL5pRTcAkS/3hzN8qE43fm78Va

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1796	MSWDM.EXE
2184	MSWDM.EXE
1980	085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE
2644	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2184	MSWDM.EXE
2528	Process not Found

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000c000000012671-5.dat	upx
behavioral1/memory/1796-15-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2184-16-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3000-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2644-29-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000d000000015659-25.dat	upx
behavioral1/memory/2184-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1796-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2185.tmp	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev2185.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1796	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1796	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 2184	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	29
PID 3000 wrote to memory of 2184	3000	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	29
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 1980	2184	MSWDM.EXE	30
PID 2184 wrote to memory of 2644	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2644	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2644	2184	MSWDM.EXE	32
PID 2184 wrote to memory of 2644	2184	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3000
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1796
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2185.tmp!C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2185.tmp!C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE

Filesize
497KB

MD5
cc0fe853423550c4ce6ab946d5c260e1

SHA1
8f5712f3bbc6f6b6e84291b9cf96b9292bfa4e63

SHA256
b9c84621b1df2ef03a956189d8cd1dc9c61748256101ce6e3c9544bb41dab09a

SHA512
f0f4c6483a7bdaa8c42372aa9c1485dd871777663eab9587d9ccd7042cb2145c03ed1edd1c17bec65b7a5a9fc8ca489515b46832b5446f9c3cc9a05ed3b98d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
memory/1796-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1796-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3000-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads