Analysis
-
max time kernel
20s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31/05/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
-
Size
548KB
-
MD5
823315a7ec0c3ce4f9ebf6b173685e60
-
SHA1
3081c762ee6afa7486ebc67d21172f666804f7e3
-
SHA256
3dd195376379b17b924ac8393072772a017c0c16521717e9057aeaf1dc55ca14
-
SHA512
2d72ab8a0b4b572cb01dacb3df477507bc7bc948e88472efb8dfa6b9e54a897a8a84d38c21af920faea92e30b2365cfa54b1c889d2f62a85d41fd6603c336cc9
-
SSDEEP
12288:wlbd+01gL5pRTcAkS/3hzN8qE43fm78Vy:Wbd+R5jcAkSYqyEy
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1900 MSWDM.EXE 2720 MSWDM.EXE 2608 823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE 1116 Process not Found 2732 MSWDM.EXE -
Loads dropped DLL 3 IoCs
pid Process 1900 MSWDM.EXE 2528 Process not Found 1116 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe File opened for modification C:\Windows\devB37.tmp 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1900 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2720 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2720 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2720 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2720 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 1900 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 29 PID 2228 wrote to memory of 1900 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 29 PID 2228 wrote to memory of 1900 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 29 PID 2228 wrote to memory of 1900 2228 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe 29 PID 1900 wrote to memory of 2608 1900 MSWDM.EXE 30 PID 1900 wrote to memory of 2608 1900 MSWDM.EXE 30 PID 1900 wrote to memory of 2608 1900 MSWDM.EXE 30 PID 1900 wrote to memory of 2608 1900 MSWDM.EXE 30 PID 1900 wrote to memory of 2732 1900 MSWDM.EXE 32 PID 1900 wrote to memory of 2732 1900 MSWDM.EXE 32 PID 1900 wrote to memory of 2732 1900 MSWDM.EXE 32 PID 1900 wrote to memory of 2732 1900 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2720
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:2608
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD58f2d28e86da4e46fc37522f9015ebdbc
SHA18523897a7511249a248565fdbee289196f7b2866
SHA256b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240
SHA512bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628