62d660c53b5a1cbcd0f26522a72560b636e72504be70be1807e0f7bf851a5e6a

General

Target

085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Size

497KB
MD5

085308cca9a84765b02ec5b603f015f0
SHA1

d6c7a285898e0127f065cbf23dffefa55d013cb2
SHA256

62d660c53b5a1cbcd0f26522a72560b636e72504be70be1807e0f7bf851a5e6a
SHA512

c1c820d791e26ba4d331da3d4db392c46b1dff3599d0aedabca91b0205d4257c3e05d98c507b4b502bcf3eec6added48e041dc45af49c390d224003bd4a85967
SSDEEP

6144:J89MAfjz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1faym:+D1gL5pRTcAkS/3hzN8qE43fm78Va

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4908	MSWDM.EXE
232	MSWDM.EXE
3452	085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE
696	MSWDM.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4976-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0008000000023286-3.dat	upx
behavioral2/memory/4976-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/232-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4908-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/696-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000700000002341e-20.dat	upx
behavioral2/memory/232-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/696-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4908-26-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev470B.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev470B.tmp	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	MSWDM.EXE
232	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4908	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	82
PID 4976 wrote to memory of 4908	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	82
PID 4976 wrote to memory of 4908	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	82
PID 4976 wrote to memory of 232	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	83
PID 4976 wrote to memory of 232	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	83
PID 4976 wrote to memory of 232	4976	085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe	83
PID 232 wrote to memory of 3452	232	MSWDM.EXE	84
PID 232 wrote to memory of 3452	232	MSWDM.EXE	84
PID 232 wrote to memory of 696	232	MSWDM.EXE	86
PID 232 wrote to memory of 696	232	MSWDM.EXE	86
PID 232 wrote to memory of 696	232	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4976
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4908
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev470B.tmp!C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev470B.tmp!C:\Users\Admin\AppData\Local\Temp\085308CCA9A84765B02EC5B603F015F0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\085308cca9a84765b02ec5b603f015f0_NeikiAnalytics.exe

Filesize
497KB

MD5
c43249cad8c5e7fae5604cbbc7778e88

SHA1
e3db7416aab7340c3a7f6a10cb0315c5e696b70c

SHA256
a0abffe9eb33d6cf51700799cbfb0741947400acb33da5d0221f392b6127f370

SHA512
04b2c17d415ae168e1e61546e7e08d79faa1c38df5e6232c33f11710a787d2674150ad6727d20d0288a3c758b2539ea107ea7467c1b43070258442c71d36b599

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\dev470B.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/232-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/232-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/696-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/696-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4908-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4908-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4976-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4976-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads