94cba4ae9e7864cc785e801a921086197f71531a5daf91d2d81c2f5c7688bbd9

General

Target

9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
Size

927KB
MD5

9dcc62f90f83bc0be9dbde16e0d9ef90
SHA1

daab377c064705427e0be237502279c346e5eb6f
SHA256

94cba4ae9e7864cc785e801a921086197f71531a5daf91d2d81c2f5c7688bbd9
SHA512

102c908db195e6b337dedb7c03756f0296f01eb18d737dac34e8f14f64dda44f8c990ba35f88b7c8f81a67a0afee9ea5554a198c564458aca22bae0144a98d95
SSDEEP

24576:Wbo+tZe0p4Ek4niOkl/A04szE87JKTvmC:Wbo+PeW4SkZP4sz9Mbp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2344	MSWDM.EXE
1768	MSWDM.EXE
2264	9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Loads dropped DLL 2 IoCs

pid	Process
2344	MSWDM.EXE
2344	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev189F.tmp	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2344	MSWDM.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2264	9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE
Token: 35	2264	9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1768	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 1768	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 1768	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 1768	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2344	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2344	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2344	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2344	1964	9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 2264	2344	MSWDM.EXE	30
PID 2344 wrote to memory of 2264	2344	MSWDM.EXE	30
PID 2344 wrote to memory of 2264	2344	MSWDM.EXE	30
PID 2344 wrote to memory of 2264	2344	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1768
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev189F.tmp!C:\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\9DCC62F90F83BC0BE9DBDE16E0D9EF90_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
d4f324176e864a4ba6c86ac00ec33851

SHA1
953a5de37833fae53d66912fa86d8adceb3dd74e

SHA256
3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b

SHA512
703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

Download Submit
\Users\Admin\AppData\Local\Temp\9dcc62f90f83bc0be9dbde16e0d9ef90_NeikiAnalytics.exe

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
memory/1768-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1768-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2344-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2344-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads