Analysis
-
max time kernel
92s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:25
Behavioral task
behavioral1
Sample
de6691e2dda3e61636b7fca20acc9640_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de6691e2dda3e61636b7fca20acc9640_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
de6691e2dda3e61636b7fca20acc9640_NEIKI.exe
-
Size
5.5MB
-
MD5
de6691e2dda3e61636b7fca20acc9640
-
SHA1
048e67318651a53cc6b9a7651838a5edf0d53dfb
-
SHA256
43776b80c311fdcc1d0c7e330554de6a94b61f31fac184a8bada88cafb084a39
-
SHA512
6efb8d6d85af62a36f7da093664ed5c77cde011dcedc909301be1b739f26d1a08eaf4d79efa3abe49476def02ff3d678146ca542ab2ab624fe384a2c5f674f37
-
SSDEEP
98304:J6Gn9646r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65iE:taSHFaZRBEYyqmS2DiHPKQgwUgUjvhoM
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffbnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidipnal.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kknafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknafn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdbojmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbnph32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhmdbnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Domfgpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiphkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdbojmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiphkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domfgpca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqaeco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" de6691e2dda3e61636b7fca20acc9640_NEIKI.exe -
Malware Dropper & Backdoor - Berbew 14 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000023270-7.dat family_berbew behavioral2/files/0x00080000000233b0-15.dat family_berbew behavioral2/files/0x00070000000233b2-23.dat family_berbew behavioral2/files/0x000a0000000233ac-31.dat family_berbew behavioral2/files/0x00070000000233b5-39.dat family_berbew behavioral2/files/0x00070000000233b7-42.dat family_berbew behavioral2/files/0x00070000000233b7-47.dat family_berbew behavioral2/files/0x00070000000233b9-55.dat family_berbew behavioral2/files/0x00070000000233bb-63.dat family_berbew behavioral2/files/0x00070000000233bd-71.dat family_berbew behavioral2/files/0x00070000000233bf-78.dat family_berbew behavioral2/files/0x00070000000233c1-87.dat family_berbew behavioral2/files/0x00070000000233c3-95.dat family_berbew behavioral2/files/0x00070000000233c5-103.dat family_berbew -
Executes dropped EXE 13 IoCs
pid Process 2512 Dfdbojmq.exe 3560 Domfgpca.exe 1260 Ffbnph32.exe 2260 Fqaeco32.exe 2912 Hjjbcbqj.exe 2924 Iidipnal.exe 5096 Jiphkm32.exe 2840 Jbhmdbnp.exe 2612 Kknafn32.exe 2496 Kgfoan32.exe 1868 Mjqjih32.exe 4696 Nceonl32.exe 3304 Nkcmohbg.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oijnep32.dll Domfgpca.exe File created C:\Windows\SysWOW64\Hakfehok.dll Ffbnph32.exe File created C:\Windows\SysWOW64\Iidipnal.exe Hjjbcbqj.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Dfdbojmq.exe de6691e2dda3e61636b7fca20acc9640_NEIKI.exe File created C:\Windows\SysWOW64\Domfgpca.exe Dfdbojmq.exe File created C:\Windows\SysWOW64\Dfdbojmq.exe de6691e2dda3e61636b7fca20acc9640_NEIKI.exe File created C:\Windows\SysWOW64\Kpmkpqcp.dll de6691e2dda3e61636b7fca20acc9640_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Domfgpca.exe Dfdbojmq.exe File created C:\Windows\SysWOW64\Jbhmdbnp.exe Jiphkm32.exe File created C:\Windows\SysWOW64\Ffbnph32.exe Domfgpca.exe File opened for modification C:\Windows\SysWOW64\Fqaeco32.exe Ffbnph32.exe File opened for modification C:\Windows\SysWOW64\Iidipnal.exe Hjjbcbqj.exe File opened for modification C:\Windows\SysWOW64\Jiphkm32.exe Iidipnal.exe File opened for modification C:\Windows\SysWOW64\Kgfoan32.exe Kknafn32.exe File opened for modification C:\Windows\SysWOW64\Mjqjih32.exe Kgfoan32.exe File opened for modification C:\Windows\SysWOW64\Hjjbcbqj.exe Fqaeco32.exe File created C:\Windows\SysWOW64\Lppbjjia.dll Kgfoan32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Nceonl32.exe File created C:\Windows\SysWOW64\Kgfoan32.exe Kknafn32.exe File created C:\Windows\SysWOW64\Fqaeco32.exe Ffbnph32.exe File created C:\Windows\SysWOW64\Hjjbcbqj.exe Fqaeco32.exe File created C:\Windows\SysWOW64\Denfkg32.dll Fqaeco32.exe File created C:\Windows\SysWOW64\Jiphkm32.exe Iidipnal.exe File created C:\Windows\SysWOW64\Jdkind32.dll Iidipnal.exe File created C:\Windows\SysWOW64\Kknafn32.exe Jbhmdbnp.exe File opened for modification C:\Windows\SysWOW64\Kknafn32.exe Jbhmdbnp.exe File created C:\Windows\SysWOW64\Nceonl32.exe Mjqjih32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Mjqjih32.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nceonl32.exe File created C:\Windows\SysWOW64\Dbppbgjd.dll Dfdbojmq.exe File created C:\Windows\SysWOW64\Pipagf32.dll Kknafn32.exe File created C:\Windows\SysWOW64\Mjqjih32.exe Kgfoan32.exe File opened for modification C:\Windows\SysWOW64\Ffbnph32.exe Domfgpca.exe File created C:\Windows\SysWOW64\Mgblmpji.dll Hjjbcbqj.exe File opened for modification C:\Windows\SysWOW64\Jbhmdbnp.exe Jiphkm32.exe File created C:\Windows\SysWOW64\Bgllgqcp.dll Jiphkm32.exe File created C:\Windows\SysWOW64\Ihaoimoh.dll Jbhmdbnp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4616 3304 WerFault.exe 95 -
Modifies registry class 42 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdbojmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll" Dfdbojmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdbojmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Nceonl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffbnph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjjbcbqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kknafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjqjih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll" Jiphkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kknafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iidipnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiphkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiphkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll" de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domfgpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll" Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll" Kgfoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iidipnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll" Jbhmdbnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" de6691e2dda3e61636b7fca20acc9640_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Domfgpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll" Fqaeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjqjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll" Domfgpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll" Ffbnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll" Hjjbcbqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll" Kknafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgfoan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhmdbnp.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4312 wrote to memory of 2512 4312 de6691e2dda3e61636b7fca20acc9640_NEIKI.exe 80 PID 4312 wrote to memory of 2512 4312 de6691e2dda3e61636b7fca20acc9640_NEIKI.exe 80 PID 4312 wrote to memory of 2512 4312 de6691e2dda3e61636b7fca20acc9640_NEIKI.exe 80 PID 2512 wrote to memory of 3560 2512 Dfdbojmq.exe 83 PID 2512 wrote to memory of 3560 2512 Dfdbojmq.exe 83 PID 2512 wrote to memory of 3560 2512 Dfdbojmq.exe 83 PID 3560 wrote to memory of 1260 3560 Domfgpca.exe 85 PID 3560 wrote to memory of 1260 3560 Domfgpca.exe 85 PID 3560 wrote to memory of 1260 3560 Domfgpca.exe 85 PID 1260 wrote to memory of 2260 1260 Ffbnph32.exe 86 PID 1260 wrote to memory of 2260 1260 Ffbnph32.exe 86 PID 1260 wrote to memory of 2260 1260 Ffbnph32.exe 86 PID 2260 wrote to memory of 2912 2260 Fqaeco32.exe 87 PID 2260 wrote to memory of 2912 2260 Fqaeco32.exe 87 PID 2260 wrote to memory of 2912 2260 Fqaeco32.exe 87 PID 2912 wrote to memory of 2924 2912 Hjjbcbqj.exe 88 PID 2912 wrote to memory of 2924 2912 Hjjbcbqj.exe 88 PID 2912 wrote to memory of 2924 2912 Hjjbcbqj.exe 88 PID 2924 wrote to memory of 5096 2924 Iidipnal.exe 89 PID 2924 wrote to memory of 5096 2924 Iidipnal.exe 89 PID 2924 wrote to memory of 5096 2924 Iidipnal.exe 89 PID 5096 wrote to memory of 2840 5096 Jiphkm32.exe 90 PID 5096 wrote to memory of 2840 5096 Jiphkm32.exe 90 PID 5096 wrote to memory of 2840 5096 Jiphkm32.exe 90 PID 2840 wrote to memory of 2612 2840 Jbhmdbnp.exe 91 PID 2840 wrote to memory of 2612 2840 Jbhmdbnp.exe 91 PID 2840 wrote to memory of 2612 2840 Jbhmdbnp.exe 91 PID 2612 wrote to memory of 2496 2612 Kknafn32.exe 92 PID 2612 wrote to memory of 2496 2612 Kknafn32.exe 92 PID 2612 wrote to memory of 2496 2612 Kknafn32.exe 92 PID 2496 wrote to memory of 1868 2496 Kgfoan32.exe 93 PID 2496 wrote to memory of 1868 2496 Kgfoan32.exe 93 PID 2496 wrote to memory of 1868 2496 Kgfoan32.exe 93 PID 1868 wrote to memory of 4696 1868 Mjqjih32.exe 94 PID 1868 wrote to memory of 4696 1868 Mjqjih32.exe 94 PID 1868 wrote to memory of 4696 1868 Mjqjih32.exe 94 PID 4696 wrote to memory of 3304 4696 Nceonl32.exe 95 PID 4696 wrote to memory of 3304 4696 Nceonl32.exe 95 PID 4696 wrote to memory of 3304 4696 Nceonl32.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Dfdbojmq.exeC:\Windows\system32\Dfdbojmq.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Domfgpca.exeC:\Windows\system32\Domfgpca.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\Ffbnph32.exeC:\Windows\system32\Ffbnph32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Fqaeco32.exeC:\Windows\system32\Fqaeco32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hjjbcbqj.exeC:\Windows\system32\Hjjbcbqj.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kgfoan32.exeC:\Windows\system32\Kgfoan32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe14⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 40815⤵
- Program crash
PID:4616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3304 -ip 33041⤵PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5312e264bd797fcde6e056b97f746f548
SHA1e3ac2d19eec93fa6c926789e69030f23fcb6949f
SHA256831abd7a11c93f7b9350ac8bb90f4f8f34278a0cb1ae84d5a6a81e7a16aa78f8
SHA512a9ccda1a7e0a5515571d92def4010d24caceff9d36efcc97207b81ea971bb43163e7b89b6f82fd16af3deb5da6fc5fd5b749bfe24d1e95990ef8e69c7c6896ce
-
Filesize
5.5MB
MD5d19ec5a2154f73ff6b2f8de7fac33e26
SHA17a1bb22e5b666baf6ebb952f108a2c131e0c6581
SHA2561225a13785e7e5f685e76fd8e562d48b4bca7b81c477757b02c9ce397a65588b
SHA5125b6129d0d70678c0d51a053f0f257737636a5df2f1e133305c3c3321ec9e226261ce5804462269a2176ea8782e3a868fb4e95ce6cdbd8ac7c3015d902bcacf81
-
Filesize
5.5MB
MD513e1cf1d082a673492231967f93f1774
SHA1e3c96e18133d656199d8d442bee9627bf08a0755
SHA256c50519ce3440c4433836b53350b2bbd31e8125593fd8c553aff88a6cd6dc8cde
SHA5127f18b9d8e64943ee620f3c0870014de78cc28559e452129bc8fa6caea8eac4d75bbbe263d14b4f062e195a76567d591caf929eb4e6c661cdcc2e78fb920a4a9a
-
Filesize
5.5MB
MD5de8ed894de2035cf30ab97f7ea3c518f
SHA116383d16e6ba946ca4370ae1276451d702ad9c6c
SHA2568bb49005007664bdb6a5aef5c9ad1ee60de926f00e118a3d32445ba6be56180a
SHA512b70631659e80ec970e4c9d92070273dcac85277aa525acc66903b69c32b7f3b825818a77a2bf0ddd10e08ab71b23716e497981d8757acdfb572e3b430dc0c3dd
-
Filesize
5.5MB
MD5fbfc2ff9ae4e574ec61c908edfb4309f
SHA1ee50c59c7a119968caa8462434247936364fd89a
SHA256d204627d89f219ca95868a415fa1004c682e80993e7a28d94654d558dd161397
SHA512e8d3c3123b5748466000e59176fb723c5904c7314bd25747e0688d48c2560e5ba22f8dcde126a0be6397c8857bb5756ddf8041a99b3bc9d9ac3690b74bf21190
-
Filesize
4.4MB
MD5cc22fe4421fef6afe172126a383e3f58
SHA18b73ac727d7bdf5dd78aaf9be3de17457c57e6d7
SHA256f6e75c867f899908b8831c74a9cdd418d4266d1a729aab97ad2a4f7177ef7b32
SHA5127d88649f2cc11b86da6bd0860f8c66a28d013f542d128dbb83277a9ed5b9a3667b9f4e9e7ba1b955ea03b2cf113b7857c3a2d1639b626736f11e2f7938a5ec44
-
Filesize
5.5MB
MD530129775c5453ba28f01c89b88e83b44
SHA184ce13669f6693f1fa61fc34589c34ae46e3c470
SHA2560344634fdc7823d57703ccccf4be7d2cb0e9f9e53a06874822dcff9cfdb99301
SHA51298a35bd78c52ad67f8620901204466ec81573a6100ca5c91d0ff0ff514eb9f38d86c809da45d0a72b586ff95fb9f79d700d58fe537afee242283b238be8b171a
-
Filesize
5.5MB
MD55f615b5f0ba62ce467b3f109a82589a6
SHA1a81172b1996ee950f0d05773b2fa9270e51382eb
SHA256baa84d3ec64b4ed636969d6ae791ef01c74ca38e4aac9e79044012ba6e5e30b2
SHA512265595fd3bd289f6d189ff16af7b915cea037bf3e982ad4beed40b48ba0a29481ad8535b51269152aad819844c801258d3dc3a820efa2e97cb00e85eb1196b1f
-
Filesize
5.5MB
MD5e2bf1d48679ccec3c2961e870fdffc47
SHA12a198d79341142a8e38e0cd8b29244c4f42b7bfe
SHA256a3d2c4e006c565dd75bfbbcf93cef666e06fffa928069c1dfc6d4f324370b6e1
SHA5127ff33c17c37297981c7d65835d8252916440621d7b0c1d54e8a5efe1207bb86ca76f6680090f82b36228298eb389bd28de24a56527c7556fd0960070ee1c3351
-
Filesize
5.5MB
MD5e55a7be26a045c7a9f751e902612a411
SHA1ee38e4117430cb84c327286d58555c01d0c839ec
SHA2563882f32a320f31e88763fb842a45612b22f059745d6c733ecb699dc495ee2185
SHA5128f6422f886fa82ef6c43124b0799b2f284ce53e5ae362c0559e00067911a8516a5763a7c810a42a9bd0322500269602880a0a6d426d7f399863a7984b004feb0
-
Filesize
5.5MB
MD561318872037ce5a1bcdf5c49ea6b117a
SHA164a259b938ffe2ec96b440098e8c10e18fcccdee
SHA2561c5ec6b0148e0232c2a64d40c1c8c354d0d2ef862504eefe772f30cc248d38cc
SHA512d7340eb9b46ef041340cf0897cc40cfbde17cf82296cec14a743fe5bd9b6f0b99a3f69174b80fc0abc841daa2867f9f72b26d108f0406417e7d94c968a0ae1f8
-
Filesize
5.5MB
MD52ff11b805ba6f4ec909d05df75ccf3fa
SHA18869df6ecc3be4b7eeb037348c88b1bcdfe62890
SHA256b9461ded335383190a198c882a705a59742cb93a3e8d6301ffed05639abde79c
SHA5125217167737ba39a68983095b0484f6818b87fa3c93a29fdb9316488cc238f4f531ca75ab2f983962fce50bfdb3c73d8fc1ee2bc577dc8b8276379448a31f33b8
-
Filesize
5.5MB
MD547ad6de597502a8897b97d1ef47efc4b
SHA1b49e4fa240e2ec7404708b856080de6347628204
SHA2567baa107cb1c1ddcd62153f64205b666f462a929a67f9b661f35b2975a8f26b43
SHA5120f88dc5be56e7079a0ea8cf573157eaf160485c21e97ee70489c2121e9627e1af5f4bdf07d167546ddfa63f3cac575c06bc9a41895930af4c2a3274451c288b6
-
Filesize
5.5MB
MD53ceac35377a0f07f98726139ce179059
SHA19a3c64acb1f5b7cec461880e7cc00f83ae40e8ce
SHA2569aee34c274c1fe90c32a51da163e639962d32c303b6a1fa71b85e6fb0bedc382
SHA51226a512047b9a7d20dc0cb58138d895a506b7f9eb7c36ea89e6a7343038e86d3635a63f4507b686370b3c7e580e7500422a3575027bec0734913f2d9600d79758