72136e8310d637c30846aa80ddf9669fccef08c9ce42cc8015829e65a361da7a

General

Target

25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Size

1.1MB
MD5

25c4ce2ffaab5c90ab3db93da47824b0
SHA1

37d9b8295a2c01066da046cf0fdf52fff71e77e8
SHA256

72136e8310d637c30846aa80ddf9669fccef08c9ce42cc8015829e65a361da7a
SHA512

7e9437e5ef79ca2a19e6b57a057f45f8d273eaad011a1207d545d2c3c0d2cf009216c5263709831b6a9e7bbfc91877b356a72bef7367c9a3651aaa239466001c
SSDEEP

12288:xGIqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+K:xPnajQEPnvg6PhWDC750K

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002327d-6.dat	aspack_v212_v242
behavioral2/files/0x0007000000023451-23.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
3320	MSWDM.EXE
3348	MSWDM.EXE
4072	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
1396	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev474A.tmp	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev474A.tmp	MSWDM.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1488	4072	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3348	MSWDM.EXE
3348	MSWDM.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4072	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
4072	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
4072	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
4072	25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3320	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	82
PID 1792 wrote to memory of 3320	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	82
PID 1792 wrote to memory of 3320	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	82
PID 1792 wrote to memory of 3348	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	83
PID 1792 wrote to memory of 3348	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	83
PID 1792 wrote to memory of 3348	1792	25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe	83
PID 3348 wrote to memory of 4072	3348	MSWDM.EXE	84
PID 3348 wrote to memory of 4072	3348	MSWDM.EXE	84
PID 3348 wrote to memory of 4072	3348	MSWDM.EXE	84
PID 3348 wrote to memory of 1396	3348	MSWDM.EXE	88
PID 3348 wrote to memory of 1396	3348	MSWDM.EXE	88
PID 3348 wrote to memory of 1396	3348	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1792
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3320
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev474A.tmp!C:\Users\Admin\AppData\Local\Temp\25c4ce2ffaab5c90ab3db93da47824b0_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1420
      4⤵
      Program crash
      PID:1488
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev474A.tmp!C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4072 -ip 4072
1⤵
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25C4CE2FFAAB5C90AB3DB93DA47824B0_NEIKIANALYTICS.EXE

Filesize
1.1MB

MD5
f70ae5f69c8e4e4eae671067c6e15ca3

SHA1
692e1a6ef388506108570ef1715e6217b90b806c

SHA256
af95a8605a0b147f4b40881a13b61fa5f7d45df9685bba7f24277f23832db82e

SHA512
12b40bfb30c408f07b5ac1ffbbaffe58343c397b19de8899917de94480254b3005ea7f7d83932f7fc0d557158a86a639c2d9f024a05b7a6ab52432e92507f4c9

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
54f0aee171995aebdb1eb063789085c5

SHA1
a1cf32099b88b75a8b08e7667909478194be84cc

SHA256
976ee774d60fb66dfb9e38140a8933747a9a583f59ad58e02eb280c5f47efef9

SHA512
405b6978cfee79bbdec3b2b6ae9ae98c985c42330963677edaf106f34cbab126bcab845252ee7f08b8e8ef4269f1a900c45f6ba8ef1c7bec050e657b0551d594

Download Submit
C:\Windows\dev474A.tmp

Filesize
1.1MB

MD5
b0375fadbb808beaf33971aa2b1b56e2

SHA1
2b978167e0b264e7dd3484c61df8b31799f6867f

SHA256
92efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33

SHA512
8e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58

Download Submit
memory/1396-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1396-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1792-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1792-10-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3320-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3320-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3348-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3348-25-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads