6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6

General

Target

6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
Size

92KB
MD5

f575bcee514ebd3479d7a00d12b8c0a0
SHA1

91ac0bad555988100e3df1cf07c28635ce9c4731
SHA256

6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6
SHA512

370fa9fe37055c2e42781563351aba1fb6355b4caac27f3ab0ce88fe22bfef100e2b62c8ab8a217be7b311e1a3734dcf7fbcc6948c8e1478abed398c9e1123f1
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FMG+sdguxnSngBNpT/mzNnxPAxEAz0+/d07QW:HQC/yj5JO3MnMG+Hu54Fx4xE8F07QW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
344	MSWDM.EXE
2672	MSWDM.EXE
2704	6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE
2748	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2672	MSWDM.EXE
2672	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev11AD.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
File opened for modification	C:\Windows\dev11AD.tmp	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2672	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 344	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	28
PID 348 wrote to memory of 344	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	28
PID 348 wrote to memory of 344	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	28
PID 348 wrote to memory of 344	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	28
PID 348 wrote to memory of 2672	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	29
PID 348 wrote to memory of 2672	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	29
PID 348 wrote to memory of 2672	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	29
PID 348 wrote to memory of 2672	348	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	29
PID 2672 wrote to memory of 2704	2672	MSWDM.EXE	30
PID 2672 wrote to memory of 2704	2672	MSWDM.EXE	30
PID 2672 wrote to memory of 2704	2672	MSWDM.EXE	30
PID 2672 wrote to memory of 2704	2672	MSWDM.EXE	30
PID 2672 wrote to memory of 2748	2672	MSWDM.EXE	32
PID 2672 wrote to memory of 2748	2672	MSWDM.EXE	32
PID 2672 wrote to memory of 2748	2672	MSWDM.EXE	32
PID 2672 wrote to memory of 2748	2672	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:348
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:344
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev11AD.tmp!C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev11AD.tmp!C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE

Filesize
92KB

MD5
e34248488736a8bfa07b83df246961cc

SHA1
f7a490eb95fddb3db2a9232459cb7bd33aa8178b

SHA256
786461821d699d2e40a43c516b476fed31c504c39d7757d8acbfe79b6a8adb77

SHA512
120de8b99b1f8032e41a07f5de60641a3c559cbe44d1e2ff3e4ce15c554f22a3458325e1670744e39cc3a5dae698809a6cf10e8db7d4968566f77b069d22ac2e

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\dev11AD.tmp

Filesize
12KB

MD5
897cc6ed17649490dec8e20e9dd7ffd6

SHA1
cb3a77d8dd7edf46de54545ca7b0c5b201f85917

SHA256
cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34

SHA512
b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca

Download Submit
memory/344-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/344-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/348-10-0x00000000002F0000-0x000000000030B000-memory.dmp

Filesize
108KB

Download
memory/348-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/348-8-0x00000000002F0000-0x000000000030B000-memory.dmp

Filesize
108KB

Download
memory/348-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/348-6-0x00000000002F0000-0x000000000030B000-memory.dmp

Filesize
108KB

Download
memory/2672-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-38-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2672-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-30-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2748-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads