72136e8310d637c30846aa80ddf9669fccef08c9ce42cc8015829e65a361da7a

General

Target

25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Size

1.1MB
MD5

25c4ce2ffaab5c90ab3db93da47824b0
SHA1

37d9b8295a2c01066da046cf0fdf52fff71e77e8
SHA256

72136e8310d637c30846aa80ddf9669fccef08c9ce42cc8015829e65a361da7a
SHA512

7e9437e5ef79ca2a19e6b57a057f45f8d273eaad011a1207d545d2c3c0d2cf009216c5263709831b6a9e7bbfc91877b356a72bef7367c9a3651aaa239466001c
SSDEEP

12288:xGIqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+K:xPnajQEPnvg6PhWDC750K

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000014b70-13.dat	aspack_v212_v242
behavioral1/files/0x0007000000015616-35.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2352	MSWDM.EXE
2032	MSWDM.EXE
1228	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
2548	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2352	MSWDM.EXE
2352	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devD2A.tmp	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\devD2A.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2352	MSWDM.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1228	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
1228	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
1228	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
1228	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2032	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2032	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2032	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2032	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2352	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	29
PID 2196 wrote to memory of 2352	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	29
PID 2196 wrote to memory of 2352	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	29
PID 2196 wrote to memory of 2352	2196	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	29
PID 2352 wrote to memory of 1228	2352	MSWDM.EXE	30
PID 2352 wrote to memory of 1228	2352	MSWDM.EXE	30
PID 2352 wrote to memory of 1228	2352	MSWDM.EXE	30
PID 2352 wrote to memory of 1228	2352	MSWDM.EXE	30
PID 2352 wrote to memory of 2548	2352	MSWDM.EXE	31
PID 2352 wrote to memory of 2548	2352	MSWDM.EXE	31
PID 2352 wrote to memory of 2548	2352	MSWDM.EXE	31
PID 2352 wrote to memory of 2548	2352	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2196
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2032
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devD2A.tmp!C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devD2A.tmp!C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE

Filesize
1.1MB

MD5
b0968b07ddd541745391d5f86d1805ce

SHA1
c8b64c3b63c578e15a0a91a3686486ccddfeee8b

SHA256
6152b0749fe61612cf8c14589357e2669f15d4d8430b4c9ac23f2621ab2e0999

SHA512
b7056503433374b6be41ce2bf959905b14ada28fda8d9193d724208deb481dd1add9418ee7422bd4a12c033267b0f6dc2bd3add9f3d436f0fbebf2dd1c6171d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe

Filesize
1.1MB

MD5
b0375fadbb808beaf33971aa2b1b56e2

SHA1
2b978167e0b264e7dd3484c61df8b31799f6867f

SHA256
92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

SHA512
8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
54f0aee171995aebdb1eb063789085c5

SHA1
a1cf32099b88b75a8b08e7667909478194be84cc

SHA256
976ee774d60fb66dfb9e38140a8933747a9a583f59ad58e02eb280c5f47efef9

SHA512
405b6978cfee79bbdec3b2b6ae9ae98c985c42330963677edaf106f34cbab126bcab845252ee7f08b8e8ef4269f1a900c45f6ba8ef1c7bec050e657b0551d594

Download Submit
memory/2032-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2352-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2352-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2352-29-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/2548-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2548-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads