Analysis
-
max time kernel
21s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 07:45
Behavioral task
behavioral1
Sample
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe
-
Size
738KB
-
MD5
4b4d9f23293f2a5a0be3a3e680977ac0
-
SHA1
beb42405eab03b2ee529c3ebf51d81f2718da40e
-
SHA256
c72f3f17d1d8dcd619bfdd3b67e834c91ba8a4d1cda1a4ef1cbda0763d153166
-
SHA512
b913970926b33201e911544393cbda4fdf0cf22119c128787f94f8d83d9d9ce5baeac8bd9d34754a58204ae697d8c1174c9cf834b15470b5a4dcabd57992d87b
-
SSDEEP
12288:q51xNSiZbbSoCU5qJSr1eWPUntBB0sP0MugCAjHUzTsh2:q51xNSi1SoCU5qJSr1eWPSCsP0MugC6E
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2372 MSWDM.EXE 3904 MSWDM.EXE 3952 4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE 2212 MSWDM.EXE -
resource yara_rule behavioral2/memory/4204-0-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x00060000000232a4-7.dat upx behavioral2/memory/4204-9-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3904-10-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/files/0x0007000000023404-17.dat upx behavioral2/memory/2212-18-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3904-20-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/2372-21-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe File opened for modification C:\Windows\dev4CF7.tmp 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe File opened for modification C:\Windows\dev4CF7.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3904 MSWDM.EXE 3904 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4204 wrote to memory of 2372 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 83 PID 4204 wrote to memory of 2372 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 83 PID 4204 wrote to memory of 2372 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 83 PID 4204 wrote to memory of 3904 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 84 PID 4204 wrote to memory of 3904 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 84 PID 4204 wrote to memory of 3904 4204 4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe 84 PID 3904 wrote to memory of 3952 3904 MSWDM.EXE 85 PID 3904 wrote to memory of 3952 3904 MSWDM.EXE 85 PID 3904 wrote to memory of 2212 3904 MSWDM.EXE 86 PID 3904 wrote to memory of 2212 3904 MSWDM.EXE 86 PID 3904 wrote to memory of 2212 3904 MSWDM.EXE 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2372
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev4CF7.tmp!C:\Users\Admin\AppData\Local\Temp\4b4d9f23293f2a5a0be3a3e680977ac0_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:3952
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev4CF7.tmp!C:\Users\Admin\AppData\Local\Temp\4B4D9F23293F2A5A0BE3A3E680977AC0_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
738KB
MD59a76c8036cb6587af961e847403610a8
SHA1cbd99501ab11df43371f75b6406f637d04c2b869
SHA25683f22a876f1736a2a51f236e9d7e948477f0ab8bfe18ac305c55a1a452476fd7
SHA512ea7c7bff73177f1248af5d9f1c97f61231221741c483a2c7900b918a1c0e4abdf6f73ce4b5f2448812bf11dea263e3e963002783cafd7d45089ada2658b9baa0
-
Filesize
164KB
MD5c63b4134b74602a3c45a65664b08d981
SHA1395e802be36cc24865439eac672ddf85733aafaf
SHA2562495dffa440d3090c798cb22a73a8beacb063221b2a894f7fbc62a4b6d5b4a58
SHA51282894f5428ae58cfdbcf2c3ef9d08dfe533d91c67b290f875337196f731137c38ca855293caa6c9568ed510564a5fc71372f38d3edeae0a7036dd57265d122dd
-
Filesize
574KB
MD56503efe0a01c2d50c97be27f3cb10a43
SHA1a0cb3708603a18f02352d01ec672020e5bad5073
SHA2560cf9864ae3a8679ed503f954a453452c93fa44f99ca6f39bbc5860abde7fd35e
SHA512ebdbc553ba4348676fd3f2ca12e48af53a229b449a36e653dbfca90efb34d21033e41d1157dcca28c2b1e5f91368c0839298992247cf7d2e8feca5feab8ecea4