f2378ad4df77b051e2dea280e2de55688211e9d0735c3da698ae72375c18f7fd

General

Target

58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe
Size

89KB
MD5

58ed275b95e05d5f71c21b293a65cd30
SHA1

2c55c6f3380ee81052ee9e5eada9496ff42fd66b
SHA256

f2378ad4df77b051e2dea280e2de55688211e9d0735c3da698ae72375c18f7fd
SHA512

3893d3fe78ec36bf093f0f9564d87c466d429368b804e8ff95879586d37eb8e722679b6d7fabd4645465968b28e769b7991531635bea6fd72c52b8cf60bfd191
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FygG+s6EToa9D4ZQKbgZi1dst7x9PxO:HQC/yj5JO3MnygG+plZQKbgZi1St7xO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4752	MSWDM.EXE
3432	MSWDM.EXE
4420	58ED275B95E05D5F71C21B293A65CD30_NEIKIANALYTICS.EXE
2796	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev47A8.tmp	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev47A8.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3432	MSWDM.EXE
3432	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4752	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	83
PID 3028 wrote to memory of 4752	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	83
PID 3028 wrote to memory of 4752	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	83
PID 3028 wrote to memory of 3432	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	84
PID 3028 wrote to memory of 3432	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	84
PID 3028 wrote to memory of 3432	3028	58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe	84
PID 3432 wrote to memory of 4420	3432	MSWDM.EXE	85
PID 3432 wrote to memory of 4420	3432	MSWDM.EXE	85
PID 3432 wrote to memory of 2796	3432	MSWDM.EXE	86
PID 3432 wrote to memory of 2796	3432	MSWDM.EXE	86
PID 3432 wrote to memory of 2796	3432	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4752
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev47A8.tmp!C:\Users\Admin\AppData\Local\Temp\58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Users\Admin\AppData\Local\Temp\58ED275B95E05D5F71C21B293A65CD30_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4420
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev47A8.tmp!C:\Users\Admin\AppData\Local\Temp\58ED275B95E05D5F71C21B293A65CD30_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58ed275b95e05d5f71c21b293a65cd30_NeikiAnalytics.exe

Filesize
89KB

MD5
bdf3cdd9f9818aac1a6d07ae7de92daf

SHA1
2acbf1c7344a7369ae112f243065c719670aa2f8

SHA256
2d4b7b1953e24e8a2ae1b24c94ff957cd755ffb56a9cfc6f2272d9038c6118f8

SHA512
84f8923e964ba224d38b4f6731e07152c313fa813b82901ea6537c21baa2eb674988bde6cd1e77f6f455d26a18326d25918a2dd43055ea80a2a20a28d2d34c97

Download Submit
C:\Windows\MSWDM.EXE

Filesize
48KB

MD5
4aba1a7e415274e5ff9b6f2b0c2680be

SHA1
3048647e9fbe2095a286cba3f9819467fdcb977d

SHA256
bf1f8a20bf03c76ef650e1f92ffc413d73635963a1af34f60bfed662e3108955

SHA512
3d3726e752b73ad368698a467a99333322826f41dbdd382dfc5028c6aaacebe1f1fbf7b736fb00267d86d46ff7f0fd42f556bb0ade3c77dc1a9681c226ce9ca1

Download Submit
C:\Windows\dev47A8.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/2796-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2796-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3028-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3432-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4752-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads