e9397b658e954808dba4fc55c9644199f75d0f31594c340101379ba9d8d53cef

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 18:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Size

121KB
MD5

c0494ff55a8ffcb801c662d24754f3b0
SHA1

288d6fb79876193bb8ad90c4eeb583460e8a944b
SHA256

e9397b658e954808dba4fc55c9644199f75d0f31594c340101379ba9d8d53cef
SHA512

49390855ef08f29a86d3c946de9f52a494f628ea3289cfecccbf2530bf8430dccdf3fa35abcf7186d53deae7e85e32b6839ef65ad3fec2b4bb27fada16c71421
SSDEEP

3072:633Bku4lvbxbTJq7D585EvwFO7AJnD5tvv:E3BilzpTqS5EYFOarvv

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe

Malware Dropper & Backdoor - Berbew 33 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2060-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000d00000001226b-5.dat	family_berbew
behavioral1/memory/2060-6-0x0000000000250000-0x0000000000297000-memory.dmp	family_berbew
behavioral1/memory/2896-13-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2836-27-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0008000000016abb-25.dat	family_berbew
behavioral1/files/0x0007000000016cc3-33.dat	family_berbew
behavioral1/memory/2836-35-0x00000000002D0000-0x0000000000317000-memory.dmp	family_berbew
behavioral1/memory/2652-41-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0007000000016d1b-53.dat	family_berbew
behavioral1/memory/2636-54-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017486-60.dat	family_berbew
behavioral1/memory/2636-62-0x00000000003B0000-0x00000000003F7000-memory.dmp	family_berbew
behavioral1/files/0x0006000000018663-73.dat	family_berbew
behavioral1/memory/2772-80-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x001100000001867a-86.dat	family_berbew
behavioral1/memory/2180-93-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00050000000186e6-99.dat	family_berbew
behavioral1/memory/1624-106-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x00050000000186ff-112.dat	family_berbew
behavioral1/memory/848-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2832-133-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/files/0x000500000001873f-132.dat	family_berbew
behavioral1/memory/2060-138-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2896-139-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2836-140-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2652-141-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2636-142-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2680-143-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2772-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/2180-145-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/1624-146-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral1/memory/848-147-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 10 IoCs

pid	Process
2896	Hkpnhgge.exe
2836	Hckcmjep.exe
2652	Hlcgeo32.exe
2636	Hgilchkf.exe
2680	Hhjhkq32.exe
2772	Hacmcfge.exe
2180	Hhmepp32.exe
1624	Iaeiieeb.exe
848	Ilknfn32.exe
2832	Iagfoe32.exe

Loads dropped DLL 24 IoCs

pid	Process
2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
2896	Hkpnhgge.exe
2896	Hkpnhgge.exe
2836	Hckcmjep.exe
2836	Hckcmjep.exe
2652	Hlcgeo32.exe
2652	Hlcgeo32.exe
2636	Hgilchkf.exe
2636	Hgilchkf.exe
2680	Hhjhkq32.exe
2680	Hhjhkq32.exe
2772	Hacmcfge.exe
2772	Hacmcfge.exe
2180	Hhmepp32.exe
2180	Hhmepp32.exe
1624	Iaeiieeb.exe
1624	Iaeiieeb.exe
848	Ilknfn32.exe
848	Ilknfn32.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe
1584	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1584	2832	WerFault.exe	37

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2896	2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2896	2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2896	2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2896	2060	c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 2836	2896	Hkpnhgge.exe	29
PID 2896 wrote to memory of 2836	2896	Hkpnhgge.exe	29
PID 2896 wrote to memory of 2836	2896	Hkpnhgge.exe	29
PID 2896 wrote to memory of 2836	2896	Hkpnhgge.exe	29
PID 2836 wrote to memory of 2652	2836	Hckcmjep.exe	30
PID 2836 wrote to memory of 2652	2836	Hckcmjep.exe	30
PID 2836 wrote to memory of 2652	2836	Hckcmjep.exe	30
PID 2836 wrote to memory of 2652	2836	Hckcmjep.exe	30
PID 2652 wrote to memory of 2636	2652	Hlcgeo32.exe	31
PID 2652 wrote to memory of 2636	2652	Hlcgeo32.exe	31
PID 2652 wrote to memory of 2636	2652	Hlcgeo32.exe	31
PID 2652 wrote to memory of 2636	2652	Hlcgeo32.exe	31
PID 2636 wrote to memory of 2680	2636	Hgilchkf.exe	32
PID 2636 wrote to memory of 2680	2636	Hgilchkf.exe	32
PID 2636 wrote to memory of 2680	2636	Hgilchkf.exe	32
PID 2636 wrote to memory of 2680	2636	Hgilchkf.exe	32
PID 2680 wrote to memory of 2772	2680	Hhjhkq32.exe	33
PID 2680 wrote to memory of 2772	2680	Hhjhkq32.exe	33
PID 2680 wrote to memory of 2772	2680	Hhjhkq32.exe	33
PID 2680 wrote to memory of 2772	2680	Hhjhkq32.exe	33
PID 2772 wrote to memory of 2180	2772	Hacmcfge.exe	34
PID 2772 wrote to memory of 2180	2772	Hacmcfge.exe	34
PID 2772 wrote to memory of 2180	2772	Hacmcfge.exe	34
PID 2772 wrote to memory of 2180	2772	Hacmcfge.exe	34
PID 2180 wrote to memory of 1624	2180	Hhmepp32.exe	35
PID 2180 wrote to memory of 1624	2180	Hhmepp32.exe	35
PID 2180 wrote to memory of 1624	2180	Hhmepp32.exe	35
PID 2180 wrote to memory of 1624	2180	Hhmepp32.exe	35
PID 1624 wrote to memory of 848	1624	Iaeiieeb.exe	36
PID 1624 wrote to memory of 848	1624	Iaeiieeb.exe	36
PID 1624 wrote to memory of 848	1624	Iaeiieeb.exe	36
PID 1624 wrote to memory of 848	1624	Iaeiieeb.exe	36
PID 848 wrote to memory of 2832	848	Ilknfn32.exe	37
PID 848 wrote to memory of 2832	848	Ilknfn32.exe	37
PID 848 wrote to memory of 2832	848	Ilknfn32.exe	37
PID 848 wrote to memory of 2832	848	Ilknfn32.exe	37
PID 2832 wrote to memory of 1584	2832	Iagfoe32.exe	38
PID 2832 wrote to memory of 1584	2832	Iagfoe32.exe	38
PID 2832 wrote to memory of 1584	2832	Iagfoe32.exe	38
PID 2832 wrote to memory of 1584	2832	Iagfoe32.exe	38

C:\Users\Admin\AppData\Local\Temp\c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c0494ff55a8ffcb801c662d24754f3b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Hkpnhgge.exe
  C:\Windows\system32\Hkpnhgge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\Hckcmjep.exe
    C:\Windows\system32\Hckcmjep.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Hlcgeo32.exe
      C:\Windows\system32\Hlcgeo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hckcmjep.exe

Filesize
121KB

MD5
2d6afdb4583a9981fcbc668480b6900f

SHA1
7e45ecf31f50d4c764f7b35e236c677a04cd8bbd

SHA256
d859e5f139641cc4d1cbff0a0c55d8d42ab2663f9c6e500dfe2ac7fef16c9542

SHA512
f69a3de3fd2d1f3b863059f7c45f3102e9387083f1b2e1234a791935f1901b6f954ba9fe432a934cc1d6a2f9f261db1417f0a90fe44fabafe35529385d1a86e3

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
121KB

MD5
a006274fa098e4c66952a054f93e78a0

SHA1
9e94f78860bb291472a1ee792543b1216138f5aa

SHA256
dd89da7d0a5537f7ae044f59f5313238547e89d26c6046503f89c1f4501724f2

SHA512
f66b1a16a3756553b764a7c5a051cdbaef007b91a1d2ee8cd6ff57edf2258e2071c4be36563c196ed8a06367dde2e12da8047f3074481137ca49e110307da376

Download Submit
C:\Windows\SysWOW64\Hojopmqk.dll

Filesize
7KB

MD5
a4794f0f4f7b78696fe8b98f1760563f

SHA1
2a26aef2bbe0b8d5112b5c0eab7f284e0fdcd248

SHA256
b97a5143dc692674ca350205d8904977d59f5a9b0b89975986a0b2a64ac48649

SHA512
fbd23875c4399b20ef1404bf105ab4d5392b50e6e6a7f014a61a84411e0cd81d0085969ec86ab07564aec01eb69efa8d5c7ab8687fa27644709796c79f1e6950

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
121KB

MD5
e7fda6aef50a19e5e44e0d38865d3fcc

SHA1
49780073c1451959539611a0f0acc6b6029e44aa

SHA256
ba455bf40f14294e96d0fdb73f9fb316c60305249350accf8dcb1e9035793797

SHA512
ed333d9bac7dadb715e46bbb02108edbc0ef969df7ebcf5228adf4728c57d2e55880a157c2edddbf07f7c856961be33acc3e1bb4d2d04439afda922f51df17d9

Download Submit
\Windows\SysWOW64\Hacmcfge.exe

Filesize
121KB

MD5
8b4d1baf18de90efe6a96aebd498177b

SHA1
d5bd7022fcdce1c320479df944f17f0cd6d708b0

SHA256
f0df04e3e075a233d7a1830d71154e1f43d52113b0a5f80e9a9fec90bea49ddd

SHA512
7b1807de46cb10b27c27640e1ca1797f4f163cfdca1df78f5128ed34e6117eaf6fa406aa15b4acc23937ba3503229e1b99197595f12b29752616b26596aa25c3

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
121KB

MD5
062c478d880b222ce7f668104ca77b1a

SHA1
d39b54b2019ca0261dfb8ba6361a33f370ab5d71

SHA256
4aaa5e0609e1159df9f7fa105ac5ee3f97d07bd6f6dab1ff27598b3d0d6d2df4

SHA512
dcc939e8fadefe274baf85068a80d604bd335a6f94db99389bf326e873d03a07634d793335151b0ebcf0c0f56444adb13cb685f4de8f19eeb68bc8e4329b5e17

Download Submit
\Windows\SysWOW64\Hhmepp32.exe

Filesize
121KB

MD5
6da8aeb72a857e179c9e2ae57573a13d

SHA1
1a62c07d3f27dafc59963b860f29f71d3c5bd5a1

SHA256
3bac83c413937d11cedea7aceccd96b87e7e24a14937b0b0903f6d696bd254d4

SHA512
3df848f12f283209f8fbf0057c898e7e4837c5390b6aa4d8e5c8ab8247de5955f20bc315caccd24b0a3974bea1484b9bb061c8f5601b9b7e27da0abecf98e723

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
121KB

MD5
d623bc77fd12d54a4ad99877ff37b9be

SHA1
a3989a208274acd11c424dc6dad7986d207a18a6

SHA256
e90657fe55b647b1dd010c8e2e63a2bb446fac5ebf87a324f080e19892f5dc0e

SHA512
fd6ec91a373584f34e1b85f8dac3b085bf5327b5d58467a2d06376e748527154cfa4fbc933c17d425777705e12c6adb5a136f7ebba0f57b406911d894249cea5

Download Submit
\Windows\SysWOW64\Hlcgeo32.exe

Filesize
121KB

MD5
529040a1d43efa4287d7bad69ab765d8

SHA1
9a0e8b5852ce252149a985545b83e20364f1b685

SHA256
afe0721ed45dac76150ddcb5230abd23ca88b9f634b722fa8a69bfd731f69067

SHA512
d86d3f7ddf47bced8408314dc5162bada683da3b6509735d3d179dc8dfeef3ea6e6962afa2723f99d9dddcc38bb5eaecaa768e099f0db7235dae96b29499ae9d

Download Submit
\Windows\SysWOW64\Iaeiieeb.exe

Filesize
121KB

MD5
7500a7b5a6400d0fee7a4d23ee60db30

SHA1
a1ba6d7f1d7456b4ccf6fe7cd8b45a0ac840d558

SHA256
444c450af10fc7b55ffe0492cf3951910036066155393dd146615461232d0ea7

SHA512
57b060855bffef3086989a772704fa17bc44a5dd4f8fca0a186b4411d5cdf552986a03c861c282a7a6d44099b96d144226b47595a0275afe88ec62fcaf93af9a

Download Submit
\Windows\SysWOW64\Ilknfn32.exe

Filesize
121KB

MD5
e866b89c9903841122e49ce4c5efc146

SHA1
765ca324e966ca8fe0e663ee8ad5f75e49d156be

SHA256
0230301f3945c86596af56ada4bc1b38d953c6d1c58a7b8f0b024d3f60ec8cb0

SHA512
704808a72d8b0c91f7452e4ce5b1dc7c21d9999a23d5cd7d7af35fb6311b6a0267c3da64ca4d11dafa5e2abdeabfa642d540c1f99dc4d48a5bc99ee5cf7659c4

Download Submit
memory/848-147-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/848-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1624-118-0x0000000000350000-0x0000000000397000-memory.dmp

Filesize
284KB

Download
memory/1624-106-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1624-146-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2060-6-0x0000000000250000-0x0000000000297000-memory.dmp

Filesize
284KB

Download
memory/2060-138-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2180-93-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2180-145-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-54-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2636-62-0x00000000003B0000-0x00000000003F7000-memory.dmp

Filesize
284KB

Download
memory/2636-142-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2652-41-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2652-141-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2680-143-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2772-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2772-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2832-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2836-140-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2836-35-0x00000000002D0000-0x0000000000317000-memory.dmp

Filesize
284KB

Download
memory/2836-27-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2896-139-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2896-26-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/2896-13-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads