Analysis
-
max time kernel
17s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 07:45
Behavioral task
behavioral1
Sample
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
-
Size
738KB
-
MD5
4b4d9f23293f2a5a0be3a3e680977ac0
-
SHA1
beb42405eab03b2ee529c3ebf51d81f2718da40e
-
SHA256
c72f3f17d1d8dcd619bfdd3b67e834c91ba8a4d1cda1a4ef1cbda0763d153166
-
SHA512
b913970926b33201e911544393cbda4fdf0cf22119c128787f94f8d83d9d9ce5baeac8bd9d34754a58204ae697d8c1174c9cf834b15470b5a4dcabd57992d87b
-
SSDEEP
12288:q51xNSiZbbSoCU5qJSr1eWPUntBB0sP0MugCAjHUzTsh2:q51xNSi1SoCU5qJSr1eWPSCsP0MugC6E
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 3056 MSWDM.EXE 1144 MSWDM.EXE 2664 4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE 1196 Process not Found 2504 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 3056 MSWDM.EXE 3056 MSWDM.EXE -
resource yara_rule behavioral1/memory/1968-11-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000c0000000122ee-12.dat upx behavioral1/memory/3056-22-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1144-23-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1968-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/files/0x000a000000016591-31.dat upx behavioral1/memory/3056-32-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2504-30-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1144-33-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe File opened for modification C:\Windows\dev1B9C.tmp 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe File opened for modification C:\Windows\dev1B9C.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3056 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1144 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 1144 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 1144 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 1144 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 3056 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 29 PID 1968 wrote to memory of 3056 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 29 PID 1968 wrote to memory of 3056 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 29 PID 1968 wrote to memory of 3056 1968 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 29 PID 3056 wrote to memory of 2664 3056 MSWDM.EXE 30 PID 3056 wrote to memory of 2664 3056 MSWDM.EXE 30 PID 3056 wrote to memory of 2664 3056 MSWDM.EXE 30 PID 3056 wrote to memory of 2664 3056 MSWDM.EXE 30 PID 3056 wrote to memory of 2504 3056 MSWDM.EXE 31 PID 3056 wrote to memory of 2504 3056 MSWDM.EXE 31 PID 3056 wrote to memory of 2504 3056 MSWDM.EXE 31 PID 3056 wrote to memory of 2504 3056 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1144
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev1B9C.tmp!C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:2664
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev1B9C.tmp!C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
574KB
MD56503efe0a01c2d50c97be27f3cb10a43
SHA1a0cb3708603a18f02352d01ec672020e5bad5073
SHA2560cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e
SHA512ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4
-
Filesize
738KB
MD57773466d12176502f9cb8f5c0fc446db
SHA11294700f0cbf4e4e0e542aaa37bec665edf64a57
SHA256aa0d09a1b1d0dca61ff07b37dbe49198e72c0aa168e46c61b542af33398b23a8
SHA512e07628145ca10964983d8e3d99cf9533fa3ca4afb63c9cea05b23ac1998626fbf20114b12fe17d9c8a39fa526706d01e1ca3c005baa26fc7e5c4a3de8239e5c6
-
Filesize
164KB
MD5c63b4134b74602a3c45a65664b08d981
SHA1395e802be36cc24865439eac672ddf85733aafaf
SHA2562495dffa440d3090c798cb22a73a8beacb063221b2a894f7fbc62a4b6d5b4a58
SHA51282894f5428ae58cfdbcf2c3ef9d08dfe533d91c67b290f875337196f731137c38ca855293caa6c9568ed510564a5fc71372f38d3edeae0a7036dd57265d122dd