c3379086a35ce0766f8379da7f196574798989be5c7225fe4a39d879cb883b47

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Size

161KB
MD5

d6e5223507fbbe7771bb4e2c7760d3d0
SHA1

25a9b18677345f24bbead1d90ebde31e524787d2
SHA256

c3379086a35ce0766f8379da7f196574798989be5c7225fe4a39d879cb883b47
SHA512

aaeaf23d97a38f0ef2157722f3818854a0651b79a392814b3f9d8ecda243e91561080411214f59a0670e2af58499cb307d617e0f6b9a5ca60101f47d718cea71
SSDEEP

3072:R+E67V06MD428AAFfiegxqqqqjCotHkDVwtCJXeex7rrIRZK8K8/kv:ROO84tHkDVwtmeetrIyR

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe

Malware Dropper & Backdoor - Berbew 16 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x000c000000015a2d-15.dat	family_berbew
behavioral1/files/0x0009000000015c7c-29.dat	family_berbew
behavioral1/files/0x0007000000015d88-38.dat	family_berbew
behavioral1/files/0x00080000000167db-51.dat	family_berbew
behavioral1/files/0x0006000000018ae8-61.dat	family_berbew
behavioral1/files/0x0006000000018b33-75.dat	family_berbew
behavioral1/files/0x0006000000018b6a-104.dat	family_berbew
behavioral1/files/0x0006000000018b96-121.dat	family_berbew
behavioral1/files/0x0006000000018d06-132.dat	family_berbew
behavioral1/files/0x00050000000192f4-156.dat	family_berbew
behavioral1/files/0x0011000000015c52-164.dat	family_berbew
behavioral1/files/0x00050000000192f4-146.dat	family_berbew
behavioral1/files/0x0011000000015c52-174.dat	family_berbew
behavioral1/files/0x0006000000018b96-118.dat	family_berbew
behavioral1/files/0x0006000000018b42-99.dat	family_berbew
behavioral1/files/0x0006000000018b42-96.dat	family_berbew

Executes dropped EXE 12 IoCs

pid	Process
2200	Aigchgkh.exe
2544	Afkdakjb.exe
2524	Apdhjq32.exe
2600	Bilmcf32.exe
2588	Bbdallnd.exe
2444	Bphbeplm.exe
2384	Blobjaba.exe
436	Balkchpi.exe
2656	Blaopqpo.exe
2768	Bobhal32.exe
2012	Cpceidcn.exe
2228	Cacacg32.exe

Loads dropped DLL 28 IoCs

pid	Process
2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
2200	Aigchgkh.exe
2200	Aigchgkh.exe
2544	Afkdakjb.exe
2544	Afkdakjb.exe
2524	Apdhjq32.exe
2524	Apdhjq32.exe
2600	Bilmcf32.exe
2600	Bilmcf32.exe
2588	Bbdallnd.exe
2588	Bbdallnd.exe
2444	Bphbeplm.exe
2444	Bphbeplm.exe
2384	Blobjaba.exe
2384	Blobjaba.exe
436	Balkchpi.exe
436	Balkchpi.exe
2656	Blaopqpo.exe
2656	Blaopqpo.exe
2768	Bobhal32.exe
2768	Bobhal32.exe
2012	Cpceidcn.exe
2012	Cpceidcn.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe
1844	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Imklkg32.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bilmcf32.exe

Program crash 1 IoCs

pid	pid_target	Process
1844	2228	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cpceidcn.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2200	2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe	28
PID 2208 wrote to memory of 2200	2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe	28
PID 2208 wrote to memory of 2200	2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe	28
PID 2208 wrote to memory of 2200	2208	d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe	28
PID 2200 wrote to memory of 2544	2200	Aigchgkh.exe	29
PID 2200 wrote to memory of 2544	2200	Aigchgkh.exe	29
PID 2200 wrote to memory of 2544	2200	Aigchgkh.exe	29
PID 2200 wrote to memory of 2544	2200	Aigchgkh.exe	29
PID 2544 wrote to memory of 2524	2544	Afkdakjb.exe	30
PID 2544 wrote to memory of 2524	2544	Afkdakjb.exe	30
PID 2544 wrote to memory of 2524	2544	Afkdakjb.exe	30
PID 2544 wrote to memory of 2524	2544	Afkdakjb.exe	30
PID 2524 wrote to memory of 2600	2524	Apdhjq32.exe	31
PID 2524 wrote to memory of 2600	2524	Apdhjq32.exe	31
PID 2524 wrote to memory of 2600	2524	Apdhjq32.exe	31
PID 2524 wrote to memory of 2600	2524	Apdhjq32.exe	31
PID 2600 wrote to memory of 2588	2600	Bilmcf32.exe	32
PID 2600 wrote to memory of 2588	2600	Bilmcf32.exe	32
PID 2600 wrote to memory of 2588	2600	Bilmcf32.exe	32
PID 2600 wrote to memory of 2588	2600	Bilmcf32.exe	32
PID 2588 wrote to memory of 2444	2588	Bbdallnd.exe	33
PID 2588 wrote to memory of 2444	2588	Bbdallnd.exe	33
PID 2588 wrote to memory of 2444	2588	Bbdallnd.exe	33
PID 2588 wrote to memory of 2444	2588	Bbdallnd.exe	33
PID 2444 wrote to memory of 2384	2444	Bphbeplm.exe	34
PID 2444 wrote to memory of 2384	2444	Bphbeplm.exe	34
PID 2444 wrote to memory of 2384	2444	Bphbeplm.exe	34
PID 2444 wrote to memory of 2384	2444	Bphbeplm.exe	34
PID 2384 wrote to memory of 436	2384	Blobjaba.exe	35
PID 2384 wrote to memory of 436	2384	Blobjaba.exe	35
PID 2384 wrote to memory of 436	2384	Blobjaba.exe	35
PID 2384 wrote to memory of 436	2384	Blobjaba.exe	35
PID 436 wrote to memory of 2656	436	Balkchpi.exe	36
PID 436 wrote to memory of 2656	436	Balkchpi.exe	36
PID 436 wrote to memory of 2656	436	Balkchpi.exe	36
PID 436 wrote to memory of 2656	436	Balkchpi.exe	36
PID 2656 wrote to memory of 2768	2656	Blaopqpo.exe	37
PID 2656 wrote to memory of 2768	2656	Blaopqpo.exe	37
PID 2656 wrote to memory of 2768	2656	Blaopqpo.exe	37
PID 2656 wrote to memory of 2768	2656	Blaopqpo.exe	37
PID 2768 wrote to memory of 2012	2768	Bobhal32.exe	38
PID 2768 wrote to memory of 2012	2768	Bobhal32.exe	38
PID 2768 wrote to memory of 2012	2768	Bobhal32.exe	38
PID 2768 wrote to memory of 2012	2768	Bobhal32.exe	38
PID 2012 wrote to memory of 2228	2012	Cpceidcn.exe	39
PID 2012 wrote to memory of 2228	2012	Cpceidcn.exe	39
PID 2012 wrote to memory of 2228	2012	Cpceidcn.exe	39
PID 2012 wrote to memory of 2228	2012	Cpceidcn.exe	39
PID 2228 wrote to memory of 1844	2228	Cacacg32.exe	40
PID 2228 wrote to memory of 1844	2228	Cacacg32.exe	40
PID 2228 wrote to memory of 1844	2228	Cacacg32.exe	40
PID 2228 wrote to memory of 1844	2228	Cacacg32.exe	40

C:\Users\Admin\AppData\Local\Temp\d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\d6e5223507fbbe7771bb4e2c7760d3d0_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Aigchgkh.exe
  C:\Windows\system32\Aigchgkh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Afkdakjb.exe
    C:\Windows\system32\Afkdakjb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\Apdhjq32.exe
      C:\Windows\system32\Apdhjq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
161KB

MD5
1ad447c1321e2b6d23bab890a505e8e5

SHA1
8d3559532464376d64b0cf3c972b8639b67d6f33

SHA256
aec96b5bd0ed1144d4577428f1a948575b35f08e7f840f735008c385125136d5

SHA512
1e7dd9cd1edf82b160967586df294bcc7781cd4c55fad7955f5a7a247d66884e923c0af9eeeadd65ad5caccdd712ce822e8958df6fe3379a61b85fdc3cfba44b

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
161KB

MD5
03d374c2674c2d9b3757f72bc4f3fb18

SHA1
6a299f76d1d6a88e8a969e113eb2feae2902ad35

SHA256
ad0db9141a34566e36a3e969fdb3746230696d946cec0b6413797a302b0fb6b0

SHA512
5436246c74fb0acdde261c3d4a3217be4f063a7617767353cbd118884ae514a443735a89f959db192988ecfa4773ea5fd674fd740699cb13fa347c52b515fbc6

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
161KB

MD5
5cebd0328d92d3dbc3c6b55da5261b4c

SHA1
d2f5c58d7b2a71519438aa9777654b6feb02db0d

SHA256
894a469d1d8fdf964fa627161d90f91eb4ccdc1401d7246984c01f1b256f7da7

SHA512
ea446a8ce82d4f6ff28b70b21b3431c4ccb0aa31f78dd4b85e6009cb1523690ccdf0c8e8c5db475a3f7499c59f2c1008e87923923fb997ae310654cea6af5b06

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
161KB

MD5
96546442cc363715e3c7a673da86baed

SHA1
196f34348b743b50bba097c25fc9c08caec9b9d2

SHA256
07bac929b31e5a9b1267a6ca3a1e7d4152590a2b7ecb16a079734971f6dd646c

SHA512
1a542a69003d95986380e96c36cb35e6e9b458b947fe5fe018b98a79e06538cfd171da10b79a9b05513fbddd3ef142ac5cad5c80cee96628dfc53f339d96e67f

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
128KB

MD5
3ce6b4f65dcb977b62d4c179216b49ec

SHA1
cd2cfeedd1faaf81fe9e0cb0411b3cb607999a7c

SHA256
c79b3750f24fbc8c52e3d01ff43cf68235f9a3271d0999a0f3d62f009e64d56f

SHA512
da092b7c688f8e11f8bd2f51402b42aca4025e2b7d459a714e14225dda8d3e7218492f076af56717af2f8e6495af890b9251d835fd5866c259d5063def50521d

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
161KB

MD5
3349e02804f93666c6474551aa0215e7

SHA1
b18c3622cb248670b54d80d822eed0a946eb6c19

SHA256
0de50283b82f6684ca63e3ec1617440abf1a5d341aae3dc28fe4981553b61e56

SHA512
d26be7455fcbc291db137b4b96c0e4d598d0a6f86f24bfc23ebafcb7f339c71d9ee4c3f035186a3473cffa376c59e10b593c19d100c50e8fce7af1ed95a34312

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
128KB

MD5
2d0d8fd2e2678133a0e9bf17615505ca

SHA1
75cf3578f88ca2b9c12b9356a06398068ecb8aee

SHA256
94ea62e1b040a1f5a6ffbc2aadfa511ee8ca22ebe74156da3eb7205037228b49

SHA512
2b2ccdcb0f1ca1791210e9cb89f3acb09ca4414480050a0da114e14802ac1aadbf5b12e305933de0d559bf8070ccf8816fae673efbe7c1f94b0abfa91c504ee8

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
128KB

MD5
151687822b62b355e963730c68533d95

SHA1
dac0a42a3a829b0e85d9e669e5e3d2ba498a2bc4

SHA256
190dc709fbd6fd2d4edcb94c54849e13211617eca112f08f4054d2728accce8d

SHA512
c1d18e878eb1a555c9ea2719b5e1a1df77d9326c2dd8d1249d03dc1f886214318dc4deb90c764f15a29eafa36e1d4a035766cdf877e19c78e27f52042267e699

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
128KB

MD5
b114ecfa9b6ba58ae289dd3159cd6d22

SHA1
d77b5dc1b25e99c97a7b2018be028ba0cb35996d

SHA256
d2a85aa024b63984d34a9317c0c8a512a49f0e9343cf921ada9f7ae0dff5c42b

SHA512
e5667d2ba3067c44be76b8abc59527da9853100618964a1dfae51c5c67c58003f2bdc4d04ef7622cd14a23314a61b08c436bafd1310ca035e33a44796a05ffe5

Download Submit
C:\Windows\SysWOW64\Momeefin.dll

Filesize
7KB

MD5
1b89bc780eeafbc81f1dd8b4db5d7cb7

SHA1
41e4457b3f1dcd45be4aef8c8437f438af1d7eaf

SHA256
17f54b704a329ac88edee0d335ae31c5cda4c06d2e62899843ab8f82e70b224c

SHA512
ec1df03d0af974eecd2785ad5f36a7b0450455fccb161f0b1af63700a2781aa83ab1e57f5f30d370face5a4788876fe8798d81b1be5536968354efa17744eb82

Download Submit
\Windows\SysWOW64\Balkchpi.exe

Filesize
128KB

MD5
cf0afaaca894fe5e8be6e929efffa7dc

SHA1
2dae757f73b1833fdc402ea995460d1ea09fad7d

SHA256
2dd75ff98c2b318c806ab2e703fd636bae3acaf9a04fc036f6c7f9a28e895c0c

SHA512
13ab242307df2d583ca29299a8e23d1a5fe8a0ed791d731d75434f2e1822a80d1f105c9e7cf0f5e071ea201d816ddbe993a9b5aaca84b44188c4fedf6b518374

Download Submit
\Windows\SysWOW64\Bbdallnd.exe

Filesize
161KB

MD5
ea75ecc65705af63236422574f5546bc

SHA1
56cb6e8da9c55886dd00e10a2a3320cc0ff7c2bc

SHA256
f090ad800562326e911c0e36c59ab949185d0329856a7947e7bb2880046ca4b2

SHA512
8cfd57d27ad3b30eed9395aa20da5e58cb3624b67fee57bf180b04f1c320e9ac6d75f6c8f9900fe0dc53ac272913b5e3eeb2ecad1e8be77578c6e99a5338e23f

Download Submit
\Windows\SysWOW64\Blaopqpo.exe

Filesize
161KB

MD5
9038e7878213b5843d16760340d001b9

SHA1
1b0eacb5845cc4a47f1d1f50540b37dc84f6e835

SHA256
60ac9b5b38761fd88ee01e20032d40b2b0923cd4884bb77bcfec197d24101d31

SHA512
ca7cace78d9f61351a03a79a115617c6342e7b601d9d1cd0a5af16d8a4f2c13ce7d423eefa0dac11753d4349a605a52800b25a79cac09bec1d22dacf13d56f9f

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
128KB

MD5
a61af0644ddc99d9afe714c10ae32587

SHA1
65f862ac91bc34ecafc2f2fe14cc8496ef8111df

SHA256
5f94fb38d5fb95947bbb18ce97745ca7868cd426067b39c1393d585cd8aa665e

SHA512
7ff4c5319ae2ba1b6fcd5cf8ec84a1614a3b6c4e67534fda7faa1348b55ac5bd6c75920c5de64d9b7aee8ca0981278b2378561384395b443ebc67a3cac8b99e7

Download Submit
\Windows\SysWOW64\Bphbeplm.exe

Filesize
161KB

MD5
56030875ce422fb1d0af84754f1f3c7c

SHA1
dc28212c9ede19ad5a833d907d799b4b7ea0bd00

SHA256
b008a0b32ad59df08b4e31bf491617534cc971cf7b859f5c59cadceab6f1f61c

SHA512
e2be364c04c9f094e2510fd2de36017df45f5859aa2edfde9c7ba98bd76b22664805007f0dd19e0bd3802868052053390dc47dc483320388a2ff1ece1fd3fdc4

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
161KB

MD5
c1340bf4cb67dd87d0a05943b082d8f9

SHA1
d24005985e67b7e2a2b89a0eff8cd2f8ab7704fc

SHA256
600b4d6c5d12ab7dea46ac679465c32967aa54e81e2a1424d6f7f5fb12d92404

SHA512
da01f31358efabaa66885586fc41686a98c6fe2a048bcea938a25423ab5d43b3267544f08d8ae63444c8fe9743c0ff5a8a0bcaebc1ba12835e3d1731e0c1b045

Download Submit
\Windows\SysWOW64\Cpceidcn.exe

Filesize
161KB

MD5
a6213bfb3e70992b34cb5661a1d1bd8a

SHA1
8ef6f1a1c4a91fc296db677499b3d87ad45ca590

SHA256
7913e001deec9975f1df9d511e1b7788c4b64f2567c63dadde5d760c1e9591a9

SHA512
82ba8356edb58d18253eaa3e841a0244fadabb7810794f43b7704b9e63b1f0e99aee151251cc629288e79b427788ced43fed22cc9e7129962900bf9b4f74ac3d

Download Submit
memory/436-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/436-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-168-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2012-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-155-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-83-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-22-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2208-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-13-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2208-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-6-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2228-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2228-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2384-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2444-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2524-49-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/2544-36-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2544-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2544-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-81-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2588-69-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-140-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2656-176-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2656-178-0x00000000002B0000-0x00000000002EF000-memory.dmp

Filesize
252KB

Download
memory/2656-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2768-148-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads