e388e42de8822099a857f55d8cf8e31b499e339bb648ab98888b0897974e5182

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 10:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Size

92KB
MD5

60b96942db46754fd8607f7a4af6ad20
SHA1

95241dfac89287fd7e92f4adb47c206b130c16d5
SHA256

e388e42de8822099a857f55d8cf8e31b499e339bb648ab98888b0897974e5182
SHA512

8a23259e146bc935ac2669452c646a9ee9da6963f14e867f14f8f6eda7a3c56e30b4fdcd0ab9adaab6a0f02324f21504711c608e985fbe81cca47805d4fb51c6
SSDEEP

1536:otKoBuu518Niep+QD0UsijXq+66DFUABABOVLefE3:gKeUeFij6+JB8M3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigdcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obphlhkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigdcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niegnc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjdopkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niegnc32.exe

Executes dropped EXE 14 IoCs

pid	Process
2952	Nqlbgfhp.exe
1584	Nicjhchb.exe
3220	Nkagdoge.exe
2512	Nbkoai32.exe
884	Nqnomfem.exe
2912	Niegnc32.exe
4372	Noopjmnl.exe
3144	Nbnlfimp.exe
1568	Nigdcc32.exe
1652	Ngjdopkg.exe
4928	Noalpmli.exe
2908	Obphlhkm.exe
2884	Oendhdjq.exe
4552	Ogmado32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe
File opened for modification	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Nbkoai32.exe	Nkagdoge.exe
File created	C:\Windows\SysWOW64\Kpiecl32.dll	Niegnc32.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	Noopjmnl.exe
File opened for modification	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Bpghfp32.dll	Noalpmli.exe
File opened for modification	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Pmkcjf32.dll	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Cmhdhd32.dll	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Nbkoai32.exe	Nkagdoge.exe
File opened for modification	C:\Windows\SysWOW64\Nqnomfem.exe	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Gfmifaji.dll	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File opened for modification	C:\Windows\SysWOW64\Nqlbgfhp.exe	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
File created	C:\Windows\SysWOW64\Fbepgcne.dll	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Nqnomfem.exe	Nbkoai32.exe
File created	C:\Windows\SysWOW64\Jmfijb32.dll	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Eecngcdn.dll	Nkagdoge.exe
File opened for modification	C:\Windows\SysWOW64\Nigdcc32.exe	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Ngjdopkg.exe	Nigdcc32.exe
File created	C:\Windows\SysWOW64\Minigl32.dll	Nigdcc32.exe
File created	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Gopebnpd.dll	Nbkoai32.exe
File opened for modification	C:\Windows\SysWOW64\Noopjmnl.exe	Niegnc32.exe
File created	C:\Windows\SysWOW64\Noopjmnl.exe	Niegnc32.exe
File created	C:\Windows\SysWOW64\Nigdcc32.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Ngjdopkg.exe	Nigdcc32.exe
File opened for modification	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	Noopjmnl.exe
File created	C:\Windows\SysWOW64\Nqlbgfhp.exe	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
File created	C:\Windows\SysWOW64\Lbjljm32.dll	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
File created	C:\Windows\SysWOW64\Niegnc32.exe	Nqnomfem.exe
File opened for modification	C:\Windows\SysWOW64\Niegnc32.exe	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Hqmbcjhk.dll	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1172	4552	WerFault.exe	96

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gopebnpd.dll"	Nbkoai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpiecl32.dll"	Niegnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niegnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmbcjhk.dll"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minigl32.dll"	Nigdcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhdhd32.dll"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigdcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfijb32.dll"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkcjf32.dll"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbepgcne.dll"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkoai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niegnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpghfp32.dll"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjljm32.dll"	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecngcdn.dll"	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	Noopjmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigdcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obphlhkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmifaji.dll"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noopjmnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2952	396	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe	82
PID 396 wrote to memory of 2952	396	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe	82
PID 396 wrote to memory of 2952	396	60b96942db46754fd8607f7a4af6ad20_NEIKI.exe	82
PID 2952 wrote to memory of 1584	2952	Nqlbgfhp.exe	83
PID 2952 wrote to memory of 1584	2952	Nqlbgfhp.exe	83
PID 2952 wrote to memory of 1584	2952	Nqlbgfhp.exe	83
PID 1584 wrote to memory of 3220	1584	Nicjhchb.exe	84
PID 1584 wrote to memory of 3220	1584	Nicjhchb.exe	84
PID 1584 wrote to memory of 3220	1584	Nicjhchb.exe	84
PID 3220 wrote to memory of 2512	3220	Nkagdoge.exe	85
PID 3220 wrote to memory of 2512	3220	Nkagdoge.exe	85
PID 3220 wrote to memory of 2512	3220	Nkagdoge.exe	85
PID 2512 wrote to memory of 884	2512	Nbkoai32.exe	86
PID 2512 wrote to memory of 884	2512	Nbkoai32.exe	86
PID 2512 wrote to memory of 884	2512	Nbkoai32.exe	86
PID 884 wrote to memory of 2912	884	Nqnomfem.exe	87
PID 884 wrote to memory of 2912	884	Nqnomfem.exe	87
PID 884 wrote to memory of 2912	884	Nqnomfem.exe	87
PID 2912 wrote to memory of 4372	2912	Niegnc32.exe	88
PID 2912 wrote to memory of 4372	2912	Niegnc32.exe	88
PID 2912 wrote to memory of 4372	2912	Niegnc32.exe	88
PID 4372 wrote to memory of 3144	4372	Noopjmnl.exe	89
PID 4372 wrote to memory of 3144	4372	Noopjmnl.exe	89
PID 4372 wrote to memory of 3144	4372	Noopjmnl.exe	89
PID 3144 wrote to memory of 1568	3144	Nbnlfimp.exe	90
PID 3144 wrote to memory of 1568	3144	Nbnlfimp.exe	90
PID 3144 wrote to memory of 1568	3144	Nbnlfimp.exe	90
PID 1568 wrote to memory of 1652	1568	Nigdcc32.exe	91
PID 1568 wrote to memory of 1652	1568	Nigdcc32.exe	91
PID 1568 wrote to memory of 1652	1568	Nigdcc32.exe	91
PID 1652 wrote to memory of 4928	1652	Ngjdopkg.exe	93
PID 1652 wrote to memory of 4928	1652	Ngjdopkg.exe	93
PID 1652 wrote to memory of 4928	1652	Ngjdopkg.exe	93
PID 4928 wrote to memory of 2908	4928	Noalpmli.exe	94
PID 4928 wrote to memory of 2908	4928	Noalpmli.exe	94
PID 4928 wrote to memory of 2908	4928	Noalpmli.exe	94
PID 2908 wrote to memory of 2884	2908	Obphlhkm.exe	95
PID 2908 wrote to memory of 2884	2908	Obphlhkm.exe	95
PID 2908 wrote to memory of 2884	2908	Obphlhkm.exe	95
PID 2884 wrote to memory of 4552	2884	Oendhdjq.exe	96
PID 2884 wrote to memory of 4552	2884	Oendhdjq.exe	96
PID 2884 wrote to memory of 4552	2884	Oendhdjq.exe	96

C:\Users\Admin\AppData\Local\Temp\60b96942db46754fd8607f7a4af6ad20_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\60b96942db46754fd8607f7a4af6ad20_NEIKI.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\Nqlbgfhp.exe
  C:\Windows\system32\Nqlbgfhp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\Nicjhchb.exe
    C:\Windows\system32\Nicjhchb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\Nkagdoge.exe
      C:\Windows\system32\Nkagdoge.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\SysWOW64\Nbkoai32.exe
        
        C:\Windows\system32\Nbkoai32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Windows\SysWOW64\Nqnomfem.exe
        
        C:\Windows\system32\Nqnomfem.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Niegnc32.exe
        
        C:\Windows\system32\Niegnc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Noopjmnl.exe
        
        C:\Windows\system32\Noopjmnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Nigdcc32.exe
        
        C:\Windows\system32\Nigdcc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ngjdopkg.exe
        
        C:\Windows\system32\Ngjdopkg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Noalpmli.exe
        
        C:\Windows\system32\Noalpmli.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Obphlhkm.exe
        
        C:\Windows\system32\Obphlhkm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Oendhdjq.exe
        
        C:\Windows\system32\Oendhdjq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        15⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 408
        16⤵
        Program crash
        
        PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkoai32.exe

Filesize
92KB

MD5
cea2867f0b6088b3f781085597ea9ae4

SHA1
e3654f8a7afa37ec45ad68bdc696756015ab8aeb

SHA256
3e0ef0cbe68905c7a028232cbb164ddd108310bc434b9dcec0ba4f64f334c7cc

SHA512
d8f0ce62f2027d9110b567635aeebe799a9785e5bbf6802b8fa2bf4655a0aa455552b4cf7f723761c77294f4770900629b75d6af5a2133ff8f20cb80b56a5c9f

Download Submit
C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
92KB

MD5
f9adc4adfb1006c71c448639186b9d63

SHA1
9441fb8c123f19ef4c7b92117a2a8dd74a78ab7c

SHA256
a7bfec02dcc8257865e31cbfb899415bc5e59023090deeb4c1583be6d60c24eb

SHA512
e5bf32b50bee6e67531c7c3b2634a04afdd68cebe6d29eb04526bd6a3e47a73a4f4888f969645dad6d8fe0012882bf69f06dc7b36d25df36ac3b7f36ad7dce4d

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe

Filesize
92KB

MD5
55128146a094891df494c0a661b575f2

SHA1
597fb0bafd52313b9b5aad3a3d9e01ffedcbc3f1

SHA256
0d68b952189f0e8ea4cacaf4dafe25c28d6385b2237ac6984a411d29a3e78b3e

SHA512
3b0f7561fc81e1f453021970377bff18da7a825a54e0a71f6921a7701bd81043bd55a0869ec1fba7078e3032fa1a7aeff611395d08bc03ca25536c2d93dcbaa4

Download Submit
C:\Windows\SysWOW64\Nicjhchb.exe

Filesize
92KB

MD5
7088cd78b12a2a6b37542789be35fa10

SHA1
32d39e8f4f6ea533ef5d0b3f98f1b2ca307584ea

SHA256
a9817e6d2245305c996d00caa4950e19810f6c9bb8eb478778951f64e605a629

SHA512
a511aefec811a6ae679d8fc9ee40ced7dacf1314d848dec00ace7d26f3049ccca5c67402f463d85317a448aec488fedd6e31add0fb90bab3a346a0ed9c271354

Download Submit
C:\Windows\SysWOW64\Niegnc32.exe

Filesize
92KB

MD5
898026ededf185a671a480f9adb15556

SHA1
a9b32d027c9ae651acde67ed82d224ac72c6159a

SHA256
0bb2bca3bed49d2bb6f9309c493045c368c0ae0ab3bec90f7efce3465e1881e2

SHA512
b0adc853574d0038eb4e7d3f31d710375855da8a4eee38cd61ca3e1843009fa50decd541d4839bbed48d9ca66185064555930d28f73d5d839b2fd5fa97a2f915

Download Submit
C:\Windows\SysWOW64\Nigdcc32.exe

Filesize
92KB

MD5
ae8eb74e868206c04ce077488d114536

SHA1
3a552c391fcab34cefd772fbab78d9f808089eef

SHA256
8411cc9f305e0d6b8ff70a0a6b44821cf221904753fd1fb7477d74560adae2ea

SHA512
58ac13b658150533080bc063192ad6cbbcc6a3ad0b2658538fc7cff8590580dfb5f945331a75e4c76e5ab2d1ead21531a7711e71c241f58a27ca34c41ecdd2cd

Download Submit
C:\Windows\SysWOW64\Nkagdoge.exe

Filesize
92KB

MD5
d479c064c9b378c535057b34f2a3090e

SHA1
c8c623edc532c22ed8dc84620d05ae9d3d4c2706

SHA256
6db304b074619e1c87bdff7b63a7c5141bc548111a3461f7d40f1319c222f3d1

SHA512
f04bc217af9b167cffb34d3b32fe633c04f354e86fab175ee2d2539815607258f1054014e5f7676bdfce16fdaed116524e619202c06584eb30309a2c57588611

Download Submit
C:\Windows\SysWOW64\Noalpmli.exe

Filesize
92KB

MD5
17eb4de932decccd81ba3c38b2431a78

SHA1
9bc2d545719c4139e37c963124623d23f726bef8

SHA256
7fab86a76a901f673c56080e9719d5921e8f04d9c33602f464f7ef1b337bc073

SHA512
ca2ba7778200883d73f46b910b075bdf9b7e26a2c7fdb833d1024352bdfaaa91356b8f66b2f30e9c25ae5bac8dd522c88e694ef6719a8f089f5336501cc02f78

Download Submit
C:\Windows\SysWOW64\Noopjmnl.exe

Filesize
92KB

MD5
1477a416952fd6147cbe351609548094

SHA1
1925943d267cf8c2417cf200e607f1eeb4adf196

SHA256
1a27c2b11360351b47589363fcdcd1f472f796e61862a8a2e19319201ed528b9

SHA512
5044ac279c47c14169ed3695d5adf5aa7cc9910b436f101eba97121fabbaa46e2749b14950219154b683086dcadfa28841ab0932ae32c0a535c2094a40cb966c

Download Submit
C:\Windows\SysWOW64\Nqlbgfhp.exe

Filesize
92KB

MD5
91c0d1765da0f827a18ed72ce8d24437

SHA1
729df1c02bd0fd4e0e47a397a34b493b3daa1022

SHA256
4aeafae2de5cd3c0d3a6cbe49830b70fd2c77537319c40443b5cf2786a163573

SHA512
88d1066c43c63009b0acce139d3bdc0a8ba7d75a0bb16129722638f35f26530e535a781c97e4e6bd796c0cdeb4e2d4e6d79f083d367cc050b72148fd82a5f747

Download Submit
C:\Windows\SysWOW64\Nqnomfem.exe

Filesize
92KB

MD5
d3561f5f3940d2f59466104a12f71934

SHA1
66a3b8124c27f255b08e246b6ca7a7f1db74b921

SHA256
2def173c6d9e7d6c680aee0af4ab0c06bc03eb6ed975ae94b0b84858b4259399

SHA512
683be56127b3603d76e5dd1b7ac2fe9c2025f2b4a0d44af826c76d0a5b87ec0d0774a99b600a884b94a3aa3fce29dcc4ccbd7b73c7a4fa68d1760eb928a5fc8a

Download Submit
C:\Windows\SysWOW64\Obphlhkm.exe

Filesize
92KB

MD5
57373f4b2736f17d305ae506ed0980aa

SHA1
221faf03ed4714ce1e91319ab02f2288be138e8d

SHA256
323eec606c9a777994d780fc7ba9b8ab89f1f398a7b8c97099b10b8139693b5a

SHA512
b5b7f313e020b44438cf966904d4995c6fcc84d9a26d9a4e20682f7613822f264489dd6ed3a10a0aabcfa5d26cbfea6d8204ca5bc2207fba86e5020f6543d4b0

Download Submit
C:\Windows\SysWOW64\Oendhdjq.exe

Filesize
92KB

MD5
9f64172b13fcc824f57daf8f3303f512

SHA1
506dcb6f01c27aa5d45ab5803fef0624c4ff08a5

SHA256
8797f3275f90b4fd284e5f66e370b06c61e193ab5b3cd559223b15701fc9805b

SHA512
a7382aa85d68a60394f2ca4175b1575bd7f24953e3a30099230d75940fa89f21bb40fbbb14b026d1ae0d552380394d2ac9397bcb2da04a1b469f61b57081cfbf

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
92KB

MD5
d49bcd2fab01fa6871a6eded1030b78e

SHA1
af277195e4581772dff3f4d9c4a811ea148c56c7

SHA256
64b226071ed240efc7b5cdb5ebdafd470821a7e9c3fab85d14c64e20a8e22035

SHA512
111189684d919a7967424f578f9abe82682c174f5bfc43c3738077749098ab589cc846b68b20db4730553bfff282f026d673e99fcfa5dc7d3c74ce75d2fd7be4

Download Submit
memory/396-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/396-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/396-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/884-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1568-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1584-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1652-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2512-37-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-118-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2952-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3144-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4372-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4928-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads