Analysis
-
max time kernel
47s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe
-
Size
505KB
-
MD5
1d7111ab5f67a519b7e271d4bcda9340
-
SHA1
489f63443ae8c79b9db2bbca9eb6b3ca42567b4d
-
SHA256
12f61e065a1c1f70c4255d68451fc5a54f02d336ca241f9513427f668ee38c57
-
SHA512
305140a2c981e8d4808837a731d4eb07f9508ed3e4f5b100ef912a252d4c63869c4b99b4968e55c3f65f2b56959a1a50705adb409f23e02c07b6cdb7f8bdf5b4
-
SSDEEP
12288:wlbG+b1gL5pRTcAkS/3hzN8qE43fm78V5:WbG+G5jcAkSYqyE5
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2180 MSWDM.EXE 2400 MSWDM.EXE 4764 1D7111AB5F67A519B7E271D4BCDA9340_NEIKIANALYTICS.EXE 2240 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\devF8B.tmp MSWDM.EXE File created C:\WINDOWS\MSWDM.EXE 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe File opened for modification C:\Windows\devF8B.tmp 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2400 MSWDM.EXE 2400 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3176 wrote to memory of 2180 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 92 PID 3176 wrote to memory of 2180 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 92 PID 3176 wrote to memory of 2180 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 92 PID 3176 wrote to memory of 2400 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 93 PID 3176 wrote to memory of 2400 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 93 PID 3176 wrote to memory of 2400 3176 1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe 93 PID 2400 wrote to memory of 4764 2400 MSWDM.EXE 94 PID 2400 wrote to memory of 4764 2400 MSWDM.EXE 94 PID 2400 wrote to memory of 2240 2400 MSWDM.EXE 96 PID 2400 wrote to memory of 2240 2400 MSWDM.EXE 96 PID 2400 wrote to memory of 2240 2400 MSWDM.EXE 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2180
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\devF8B.tmp!C:\Users\Admin\AppData\Local\Temp\1d7111ab5f67a519b7e271d4bcda9340_NeikiAnalytics.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\1D7111AB5F67A519B7E271D4BCDA9340_NEIKIANALYTICS.EXE3⤵
- Executes dropped EXE
PID:4764
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\devF8B.tmp!C:\Users\Admin\AppData\Local\Temp\1D7111AB5F67A519B7E271D4BCDA9340_NEIKIANALYTICS.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2240
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:1616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD52c37c7942900b3e860fbcb562d86e3d4
SHA17959f6903d8aa5304c3ce5e77fdc3dd07a0bcb7c
SHA2567146fc28a4cf216475ba56a2f0e4ca2c912926f2a39faa31365976b2dcb9ca7d
SHA512f968dc6430648d12fc70b6d0221dd791c0b7d0b506b369749b3256e87d927422bddf051dc637e3c9168e43c58eeb8ec50bebe51ec4ff7a258089126e6a0730b1
-
Filesize
47KB
MD502252334fa17a25b781e2bfebd1bca3d
SHA1a72858647bf5774aefcb9e064a5db74728d6a483
SHA2563149abb7c1b6e56672f70f483b24222d0a41b948e7b7ec5ad8e66197480173fe
SHA5128d3e14398fe9e1cae632762f85a548e5f7c455a2f8481e30017e2caad14412215f88ca217a109cfb87f3cb41603c0560c90de4cc648039f9f62b017427b33413
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628