6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6

General

Target

6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
Size

92KB
MD5

f575bcee514ebd3479d7a00d12b8c0a0
SHA1

91ac0bad555988100e3df1cf07c28635ce9c4731
SHA256

6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6
SHA512

370fa9fe37055c2e42781563351aba1fb6355b4caac27f3ab0ce88fe22bfef100e2b62c8ab8a217be7b311e1a3734dcf7fbcc6948c8e1478abed398c9e1123f1
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FMG+sdguxnSngBNpT/mzNnxPAxEAz0+/d07QW:HQC/yj5JO3MnMG+Hu54Fx4xE8F07QW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5020	MSWDM.EXE
2232	MSWDM.EXE
4144	6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE
4072	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF50E.tmp	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
File opened for modification	C:\Windows\devF50E.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	MSWDM.EXE
2232	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 5020	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	88
PID 2464 wrote to memory of 5020	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	88
PID 2464 wrote to memory of 5020	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	88
PID 2464 wrote to memory of 2232	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	89
PID 2464 wrote to memory of 2232	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	89
PID 2464 wrote to memory of 2232	2464	6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe	89
PID 2232 wrote to memory of 4144	2232	MSWDM.EXE	90
PID 2232 wrote to memory of 4144	2232	MSWDM.EXE	90
PID 2232 wrote to memory of 4144	2232	MSWDM.EXE	90
PID 2232 wrote to memory of 4072	2232	MSWDM.EXE	92
PID 2232 wrote to memory of 4072	2232	MSWDM.EXE	92
PID 2232 wrote to memory of 4072	2232	MSWDM.EXE	92

C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2464
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5020
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devF50E.tmp!C:\Users\Admin\AppData\Local\Temp\6f35db0a7b3471bf593bf6d80ab968733d29c4ab446e72aaed3fc228395408c6_NeikiAnalytics.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE
    3⤵
    - Executes dropped EXE
    PID:4144
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devF50E.tmp!C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:8
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6F35DB0A7B3471BF593BF6D80AB968733D29C4AB446E72AAED3FC228395408C6_NEIKIANALYTICS.EXE

Filesize
92KB

MD5
1c748ff095e7edd7b8f53d719f755112

SHA1
ab664de442250c8831fb53cadc5bc25159e8d41a

SHA256
c88551f341ad67cbe0571225e47d59ab3acde72b73810e481cade81f9fc0ea20

SHA512
13282d03e0608450a73c9a1eb9267cf76ee3afa444436102c9137099fc8232251e396937311d1548c0602551643ac12a316899c419d45e3199faa829dbc4f868

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\devF50E.tmp

Filesize
12KB

MD5
897cc6ed17649490dec8e20e9dd7ffd6

SHA1
cb3a77d8dd7edf46de54545ca7b0c5b201f85917

SHA256
cfb6b16c6c7ee64111fe96a82c4619db26ea4bac0e39c5cb29d1181b8c065f34

SHA512
b719f7b95f723d0563b270f1260d086168b118189ca74f2aef37e90ad55d66f5c261ecfb15f77e80af6a551587b966bf48818a6421350f8e86b8a5f59acbc2ca

Download Submit
memory/2232-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2464-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4144-16-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5020-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5020-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads