Analysis Overview
SHA256
3dd195376379b17b924ac8393072772a017c0c16521717e9057aeaf1dc55ca14
Threat Level: Shows suspicious behavior
The file 823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:25
Reported
2024-05-31 22:27
Platform
win7-20240215-en
Max time kernel
20s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\devB37.tmp | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devB37.tmp!C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp |
Files
memory/2228-0-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 8f2d28e86da4e46fc37522f9015ebdbc |
| SHA1 | 8523897a7511249a248565fdbee289196f7b2866 |
| SHA256 | b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240 |
| SHA512 | bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8 |
memory/2228-12-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\devB37.tmp
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/1900-15-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2732-27-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1900-30-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2720-31-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 22:25
Reported
2024-05-31 22:27
Platform
win10v2004-20240508-en
Max time kernel
22s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev4611.tmp | C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\dev4611.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev4611.tmp!C:\Users\Admin\AppData\Local\Temp\823315a7ec0c3ce4f9ebf6b173685e60_NeikiAnalytics.exe! !
C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev4611.tmp!C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp | |
| US | 8.8.8.8:53 | 255.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/4116-0-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 8f2d28e86da4e46fc37522f9015ebdbc |
| SHA1 | 8523897a7511249a248565fdbee289196f7b2866 |
| SHA256 | b9bcc3b92f2d29bdf6bbd7a1caf5ef4b1ad668f264f6d5019f9f05fad25ae240 |
| SHA512 | bb04eb0e480fbe02fde3cf17defb774c9d9b5bcaf23bed81fcdb1ddfe4f9bcce7d77093965fe1752e696632a2c0fde8fb7d9ad0e63271ee1e7beb1cf4ff510a8 |
C:\Windows\dev4611.tmp
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/1656-10-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4116-9-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\823315A7EC0C3CE4F9EBF6B173685E60_NEIKIANALYTICS.EXE
| MD5 | 150632f6084943205bd9f1e3edb2bf4d |
| SHA1 | 2531999c6b5e0f86492df09d1ac9deae2adcabfc |
| SHA256 | ce266578e530304e3379580bcfb790cf39bc6ac6ef634986a335b9deb250da17 |
| SHA512 | 59109755577d830253aee19cd74f93d386a1ae22e5ee8de21844f3eb31d3cd3f3672adcfb88cacee574ac798733908504c62f0b8341350281afae80a07d2d55c |
memory/2208-20-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3480-23-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1656-24-0x0000000000400000-0x000000000041B000-memory.dmp