806e91824ecb678d7983d1bb53a8c49bde261f4d2d0526a2e89c0e2cffe461b9

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Size

1.9MB
MD5

72e24c3267e92fdfa0fb02a0765af330
SHA1

f97dda213c17c043378a32740f94024eaaefbcb7
SHA256

806e91824ecb678d7983d1bb53a8c49bde261f4d2d0526a2e89c0e2cffe461b9
SHA512

c58c2880b24492ff997092f926cabc264a369f91372070e49cdb9905b8bd7f9345ca67dfe0062604896a350c49f90bce34d227c91dde604497c5a95718b494dd
SSDEEP

49152:39aSHFaZRBEYyqmS2DiHPKQgmZUnaUgpC7jvha51N:39aSHFaZRBEYyqmS2DiHPKQgmZ0aUgU0

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe

Malware Dropper & Backdoor - Berbew 12 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000c0000000233da-8.dat	family_berbew
behavioral2/files/0x0008000000023426-16.dat	family_berbew
behavioral2/files/0x0007000000023428-23.dat	family_berbew
behavioral2/files/0x000700000002342a-31.dat	family_berbew
behavioral2/files/0x000700000002342c-39.dat	family_berbew
behavioral2/files/0x000700000002342e-47.dat	family_berbew
behavioral2/files/0x0007000000023430-55.dat	family_berbew
behavioral2/files/0x0008000000023424-63.dat	family_berbew
behavioral2/files/0x0007000000023433-72.dat	family_berbew
behavioral2/files/0x0007000000023435-80.dat	family_berbew
behavioral2/files/0x0007000000023437-88.dat	family_berbew
behavioral2/files/0x0007000000023439-95.dat	family_berbew

Executes dropped EXE 12 IoCs

pid	Process
3916	Lkiqbl32.exe
3984	Lpfijcfl.exe
3772	Lklnhlfb.exe
3540	Majopeii.exe
3992	Maohkd32.exe
2212	Mcpebmkb.exe
3468	Mpdelajl.exe
2120	Nkncdifl.exe
4200	Nkqpjidj.exe
3144	Nbkhfc32.exe
2416	Ndidbn32.exe
3644	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process
3392	3644	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3916	4480	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe	80
PID 4480 wrote to memory of 3916	4480	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe	80
PID 4480 wrote to memory of 3916	4480	72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe	80
PID 3916 wrote to memory of 3984	3916	Lkiqbl32.exe	81
PID 3916 wrote to memory of 3984	3916	Lkiqbl32.exe	81
PID 3916 wrote to memory of 3984	3916	Lkiqbl32.exe	81
PID 3984 wrote to memory of 3772	3984	Lpfijcfl.exe	82
PID 3984 wrote to memory of 3772	3984	Lpfijcfl.exe	82
PID 3984 wrote to memory of 3772	3984	Lpfijcfl.exe	82
PID 3772 wrote to memory of 3540	3772	Lklnhlfb.exe	83
PID 3772 wrote to memory of 3540	3772	Lklnhlfb.exe	83
PID 3772 wrote to memory of 3540	3772	Lklnhlfb.exe	83
PID 3540 wrote to memory of 3992	3540	Majopeii.exe	85
PID 3540 wrote to memory of 3992	3540	Majopeii.exe	85
PID 3540 wrote to memory of 3992	3540	Majopeii.exe	85
PID 3992 wrote to memory of 2212	3992	Maohkd32.exe	87
PID 3992 wrote to memory of 2212	3992	Maohkd32.exe	87
PID 3992 wrote to memory of 2212	3992	Maohkd32.exe	87
PID 2212 wrote to memory of 3468	2212	Mcpebmkb.exe	88
PID 2212 wrote to memory of 3468	2212	Mcpebmkb.exe	88
PID 2212 wrote to memory of 3468	2212	Mcpebmkb.exe	88
PID 3468 wrote to memory of 2120	3468	Mpdelajl.exe	90
PID 3468 wrote to memory of 2120	3468	Mpdelajl.exe	90
PID 3468 wrote to memory of 2120	3468	Mpdelajl.exe	90
PID 2120 wrote to memory of 4200	2120	Nkncdifl.exe	91
PID 2120 wrote to memory of 4200	2120	Nkncdifl.exe	91
PID 2120 wrote to memory of 4200	2120	Nkncdifl.exe	91
PID 4200 wrote to memory of 3144	4200	Nkqpjidj.exe	92
PID 4200 wrote to memory of 3144	4200	Nkqpjidj.exe	92
PID 4200 wrote to memory of 3144	4200	Nkqpjidj.exe	92
PID 3144 wrote to memory of 2416	3144	Nbkhfc32.exe	93
PID 3144 wrote to memory of 2416	3144	Nbkhfc32.exe	93
PID 3144 wrote to memory of 2416	3144	Nbkhfc32.exe	93
PID 2416 wrote to memory of 3644	2416	Ndidbn32.exe	94
PID 2416 wrote to memory of 3644	2416	Ndidbn32.exe	94
PID 2416 wrote to memory of 3644	2416	Ndidbn32.exe	94

C:\Users\Admin\AppData\Local\Temp\72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\72e24c3267e92fdfa0fb02a0765af330_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Lkiqbl32.exe
  C:\Windows\system32\Lkiqbl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\Lpfijcfl.exe
    C:\Windows\system32\Lpfijcfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\Lklnhlfb.exe
      C:\Windows\system32\Lklnhlfb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 400
        14⤵
        Program crash
        
        PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3644 -ip 3644
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
1.9MB

MD5
ac5f030347090ca9999268448306d58b

SHA1
e94dcdd1a1dd152fd0db91bbc05146c4b9ee1533

SHA256
fc9e601b98148894adc0dce8f2fef690bbfc4a619761166c9fa6bfa67f87d891

SHA512
319657ce9d59724a2e809ddedf7a438cf2812367fb6b066c27841d78059f0330751dbd41f2233623d8ccea41e49ece76388043ef79d7fff86764973caf90ad26

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
1.9MB

MD5
2d2c61aa7ea1eb2f70e77f01b4fe1cd9

SHA1
c63f332729e5022393345bb13082aae03cc7f66b

SHA256
cd36345dd95ad8dfeb74ddd34bfe1d395cb043ccb9a9fb88d4f6f8c07d4d388d

SHA512
592a6aed3add798ccae548850e458d6831836a8660695d6f0a138ec7daef4468b623088adf65e2c184b21528df3af503549a0c96657ead0bfe4c7ef07e8ee3a7

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
1.9MB

MD5
c45ba1c52a57a6a0a335c88e0db64cf4

SHA1
97938eeaf98eda90abe55b0c6739bb80838bed6a

SHA256
5b0799d299158f8ec84c3b418079c92a1564f2ae433890cfa1f72643b23e9bf8

SHA512
db67c064f3275ed8cab9082f5d972a8774f57c43322fbd6fb0c9a9d7ebdfc8d2043fa0de7776a084d9682eebf358cc25bf96782da65f314c206fd800d7123d25

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.9MB

MD5
ca42c8b5ded64640f84702042773fe32

SHA1
ab26fd27c979f753c698cc06f1b216c9ca905d66

SHA256
54f7e4d7b097ad2d6e569d43d5514df5a2e60db1f4fa44cb9c5f1d6ae153d2f9

SHA512
f25d8b413ece28d85c911cfb651730665adc2765576082c5ffc5f09daf3f3ef87e3c35812afe701cf38b624dedfe954335e68eec5a7b5a6386315bb344d303b9

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
1.9MB

MD5
bd9b9e8e5215c4059f69f063185af77e

SHA1
956e027acd6cfb58b9fba3eee5122415e9ebe563

SHA256
017387c054f29872838698193125c2905036215d3da91077d0c2d5864e5b97c6

SHA512
65e21bb88502d328af7e337253a8555e9c6ce0bfa60c395111b507504c9e7bf55c3dec52573f8736a7123d7fad60985035c5acef1978ec05f248079691cca730

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
1.9MB

MD5
9a0f2765070fa72de7973888d21f51b8

SHA1
278b6c5c4d8be915893343659bccbcb0bc622422

SHA256
1c8a6460041f66a20c1f288d60750f5d879768a3e582f89850d312748a463c18

SHA512
87f8d1823d5552d37879f1150d5d7f6aac45c559cc10a5c5f84a697fc59bf45b1f05f84c02eb37206e56f1879560e1acd7117870b5035a8a31ddb4d166ffdc39

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
1.9MB

MD5
2942d295bff40c1dd688fa9d828a6641

SHA1
cbb465c9f892722caf1d241a1a65de3a309c3071

SHA256
4a50dca7fd3ea9c14d08e27aedf4356357d96160b566b66692d94afe36976344

SHA512
c84f4bf68ac2fafb9ec824575ba4cc70a5af1ab9a65a669e2c960304d5c81d8232d45c1b936da888a31d4b6d2fdb75c07177d51a824405e9031ba2c2b6f679eb

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
1.9MB

MD5
33fdedf88875fe4e45f25b619d67878c

SHA1
b0d84f4cc17a076dfe3a76c9580a182d246bec3d

SHA256
58cb3ae4dafefab0542a0258700f19d45ddfab18fa0000e3ca52761a32b08259

SHA512
40a5c4dffca18ddd77ae28d6a54c339b1eedeb46cf4824560e47bd8ba5701e57829664d3750e714d53e2c5a90046b2984ad6ff65761881f24538ddc0c069f2dd

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.9MB

MD5
c4a08623111ad76345b2966b80910a77

SHA1
13209aa1bdcde1d9e2bd9bb9fcd1aa5ff9ce4590

SHA256
1b7b6804685ba866463cd5e64076b5230997e37fd9cb0491417a9094baf9983d

SHA512
9ea0d4059f35cac3105b0e05085c7c6096b05d13a14a2f43cbed0c164147cdd5b32b14dbe2312d980e1c2a6be4731201ca1bb5b810cba4181bdf1ffeae0f2554

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.9MB

MD5
b3e6bb182af5f05e98a93e22e677bbb0

SHA1
befa59c808df53b1dbabec3108d9defb3e85991a

SHA256
cba52855d709aac021847eceedc9fc992d586cff718b0f1623ed422af7113e44

SHA512
950e6598ffb9ce5e234e406b3a0969d0aa66ca3e663e203d95ade0eb1faa926b41b945b73952f3477b53a4b7e224cf234593dd8765042df517fc18c3bcc9a1bf

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
1.9MB

MD5
6f0427d326226382d4c3aa051811b29e

SHA1
0be539bed64e42d2033077cb2f3734793fe07dcb

SHA256
458bb6b3baf3fd297ecb097e0bdf7c6329952df5ab93481ee748b24a4bc317a2

SHA512
47846dacf733f9d60513d144a0dc46c939bf415f0da8505247af2ea4ae5bafcfddf13165168ff5c1d8020a6fcd41bee89159c4965ee3692bba9cd916b7220a89

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
1.9MB

MD5
9cd8bddd8f6b82a91528e1a40cf2b924

SHA1
537f351eb0ee4540dfd79c911cc95d8b9b4800f3

SHA256
413e09713e1a6bd5d2698794de30b19e6e15cf6c97829d3685ebd95c94384c6e

SHA512
aabe217dd56f74380bde94d76ca931fa43057749088006eb44f76f26aa5cafe68b9733df0024997262759b4a99403b551d4bba6a75dd248f0776f38f4acd4ff7

Download Submit
memory/2120-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3540-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4480-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads