5e85c2027098211d4a785942c3adc102edf66b9d52e25c950a236dd831600131

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 20:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Size

1.2MB
MD5

f0dd2e154afc031b648caf928c9344c0
SHA1

aa629ac9962bba85edc88fb73034a0f851d6ce2e
SHA256

5e85c2027098211d4a785942c3adc102edf66b9d52e25c950a236dd831600131
SHA512

6ffc080b87ebdc36819152836d3d243ac1b6de60265ef2c88dc04bbb1d7964029d9ff5c15834fc6fc5f9e9969e8fa93677e93c472be8078be93ed4e5f66e666e
SSDEEP

24576:fbB2xNdRPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2EvZHp3oWbUJF:fbB2xNdhbazR0vKLXZdUJF

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe

Malware Dropper & Backdoor - Berbew 12 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x000b000000015d59-5.dat	family_berbew
behavioral1/files/0x00070000000167bf-27.dat	family_berbew
behavioral1/files/0x0007000000016c1f-44.dat	family_berbew
behavioral1/files/0x0009000000016c38-55.dat	family_berbew
behavioral1/files/0x0006000000016d85-70.dat	family_berbew
behavioral1/files/0x0006000000016e56-76.dat	family_berbew
behavioral1/files/0x000600000001737b-100.dat	family_berbew
behavioral1/files/0x00060000000173dc-125.dat	family_berbew
behavioral1/files/0x002f0000000161ee-137.dat	family_berbew
behavioral1/files/0x000600000001745d-154.dat	family_berbew
behavioral1/files/0x000600000001748d-173.dat	family_berbew
behavioral1/files/0x000600000001738c-114.dat	family_berbew

Executes dropped EXE 12 IoCs

pid	Process
2932	Fmjejphb.exe
2676	Feeiob32.exe
2620	Fmlapp32.exe
2524	Gonnhhln.exe
2484	Gegfdb32.exe
2832	Gicbeald.exe
1580	Hknach32.exe
1620	Hmlnoc32.exe
1616	Hdhbam32.exe
1520	Hejoiedd.exe
1428	Hcplhi32.exe
1364	Iagfoe32.exe

Loads dropped DLL 28 IoCs

pid	Process
2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
2932	Fmjejphb.exe
2932	Fmjejphb.exe
2676	Feeiob32.exe
2676	Feeiob32.exe
2620	Fmlapp32.exe
2620	Fmlapp32.exe
2524	Gonnhhln.exe
2524	Gonnhhln.exe
2484	Gegfdb32.exe
2484	Gegfdb32.exe
2832	Gicbeald.exe
2832	Gicbeald.exe
1580	Hknach32.exe
1580	Hknach32.exe
1620	Hmlnoc32.exe
1620	Hmlnoc32.exe
1616	Hdhbam32.exe
1616	Hdhbam32.exe
1520	Hejoiedd.exe
1520	Hejoiedd.exe
1428	Hcplhi32.exe
1428	Hcplhi32.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe
2452	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fmjejphb.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Gonnhhln.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gegfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Gonnhhln.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Gonnhhln.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Oecbjjic.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe

Program crash 1 IoCs

pid	pid_target	Process
2452	1364	WerFault.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Gonnhhln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gonnhhln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cakqnc32.dll"	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecbjjic.dll"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2932	2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2932	2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2932	2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe	28
PID 2872 wrote to memory of 2932	2872	f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2676	2932	Fmjejphb.exe	29
PID 2932 wrote to memory of 2676	2932	Fmjejphb.exe	29
PID 2932 wrote to memory of 2676	2932	Fmjejphb.exe	29
PID 2932 wrote to memory of 2676	2932	Fmjejphb.exe	29
PID 2676 wrote to memory of 2620	2676	Feeiob32.exe	30
PID 2676 wrote to memory of 2620	2676	Feeiob32.exe	30
PID 2676 wrote to memory of 2620	2676	Feeiob32.exe	30
PID 2676 wrote to memory of 2620	2676	Feeiob32.exe	30
PID 2620 wrote to memory of 2524	2620	Fmlapp32.exe	31
PID 2620 wrote to memory of 2524	2620	Fmlapp32.exe	31
PID 2620 wrote to memory of 2524	2620	Fmlapp32.exe	31
PID 2620 wrote to memory of 2524	2620	Fmlapp32.exe	31
PID 2524 wrote to memory of 2484	2524	Gonnhhln.exe	32
PID 2524 wrote to memory of 2484	2524	Gonnhhln.exe	32
PID 2524 wrote to memory of 2484	2524	Gonnhhln.exe	32
PID 2524 wrote to memory of 2484	2524	Gonnhhln.exe	32
PID 2484 wrote to memory of 2832	2484	Gegfdb32.exe	33
PID 2484 wrote to memory of 2832	2484	Gegfdb32.exe	33
PID 2484 wrote to memory of 2832	2484	Gegfdb32.exe	33
PID 2484 wrote to memory of 2832	2484	Gegfdb32.exe	33
PID 2832 wrote to memory of 1580	2832	Gicbeald.exe	34
PID 2832 wrote to memory of 1580	2832	Gicbeald.exe	34
PID 2832 wrote to memory of 1580	2832	Gicbeald.exe	34
PID 2832 wrote to memory of 1580	2832	Gicbeald.exe	34
PID 1580 wrote to memory of 1620	1580	Hknach32.exe	35
PID 1580 wrote to memory of 1620	1580	Hknach32.exe	35
PID 1580 wrote to memory of 1620	1580	Hknach32.exe	35
PID 1580 wrote to memory of 1620	1580	Hknach32.exe	35
PID 1620 wrote to memory of 1616	1620	Hmlnoc32.exe	36
PID 1620 wrote to memory of 1616	1620	Hmlnoc32.exe	36
PID 1620 wrote to memory of 1616	1620	Hmlnoc32.exe	36
PID 1620 wrote to memory of 1616	1620	Hmlnoc32.exe	36
PID 1616 wrote to memory of 1520	1616	Hdhbam32.exe	37
PID 1616 wrote to memory of 1520	1616	Hdhbam32.exe	37
PID 1616 wrote to memory of 1520	1616	Hdhbam32.exe	37
PID 1616 wrote to memory of 1520	1616	Hdhbam32.exe	37
PID 1520 wrote to memory of 1428	1520	Hejoiedd.exe	38
PID 1520 wrote to memory of 1428	1520	Hejoiedd.exe	38
PID 1520 wrote to memory of 1428	1520	Hejoiedd.exe	38
PID 1520 wrote to memory of 1428	1520	Hejoiedd.exe	38
PID 1428 wrote to memory of 1364	1428	Hcplhi32.exe	39
PID 1428 wrote to memory of 1364	1428	Hcplhi32.exe	39
PID 1428 wrote to memory of 1364	1428	Hcplhi32.exe	39
PID 1428 wrote to memory of 1364	1428	Hcplhi32.exe	39
PID 1364 wrote to memory of 2452	1364	Iagfoe32.exe	40
PID 1364 wrote to memory of 2452	1364	Iagfoe32.exe	40
PID 1364 wrote to memory of 2452	1364	Iagfoe32.exe	40
PID 1364 wrote to memory of 2452	1364	Iagfoe32.exe	40

C:\Users\Admin\AppData\Local\Temp\f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f0dd2e154afc031b648caf928c9344c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\Fmjejphb.exe
  C:\Windows\system32\Fmjejphb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\Feeiob32.exe
    C:\Windows\system32\Feeiob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Fmlapp32.exe
      C:\Windows\system32\Fmlapp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Gonnhhln.exe
        
        C:\Windows\system32\Gonnhhln.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Feeiob32.exe

Filesize
1.2MB

MD5
e465a6a729d30d05ffba965ddd4f70e0

SHA1
093e08b0fedd8119a6a2f14412fc1705bc3370f4

SHA256
8c6d51b0d001fc938f33961b3425aef65fc11783c64585b27d4ec0bc41f28f5c

SHA512
9726f0635af271f3398d29716bba2c7ecbe8b1cee0fef16e07cb37ff8f09dbb019a373395e457974d0cd8964187ea52b3fc69b18e52e90c2eca13b6c354b01b2

Download Submit
C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
1.2MB

MD5
8f8f081fa8f7cb67e2f3fe9c8f8b6a47

SHA1
35b722185725b37673b50e8b781a69b3ef5c1cee

SHA256
8761101d932bd3e471e5e57a5f87c1cf084b7fda6a7dac98f94c29f4c48524a5

SHA512
486b764ec8b0de67aef78da46c17ee651f3d14ef2db6e5a43c53550eb8e55b98b0cb93249bf25b3e4291c5aa78d7e2e41b080830fb5370dd46b3a8f10003a6fe

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
1.2MB

MD5
cb84e954686571487bd8ea95cc37e4bd

SHA1
2ac2d5f4a3bffe77c6ca7e5ba4892c7ba1d98a1e

SHA256
2aa8ee103051739c94a0c86c9c77435220c4c85aa9ef81e1491ea658cfab0770

SHA512
7ea71a93ef6a9bf3960802d441996216e531ca6971c98cdd3f1eb79682085b9f90f561d43abc48b610766ae4af7897229f268c42c281a8d796c63372d945b82e

Download Submit
C:\Windows\SysWOW64\Gonnhhln.exe

Filesize
1.2MB

MD5
1c76eb99ed878230760d6a2c42b0bd7c

SHA1
37830f895a578431cfaf98761b2434858b1c294b

SHA256
5dc78ba03b43c6dcb2930fe8b0a702c7bb16e353c555aaf300358f30facc2a3f

SHA512
b04143ac7a6ae7c69f868764da5e6526907a1ccc1e90f01cbeeb4e65580f0b54f09276955f21c86e48102fb8766cd83584b97791e65b47ab0bc1c87dbf043e21

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
1.2MB

MD5
068d04275f9099889c6ff8f8f0200b25

SHA1
2738afff2bb4cf25ba8f90c580f72f92ba0f1c75

SHA256
1a51e07f1258ee7c595fcd829662aaf3f859a0ddcf055d7aabdee0ae61178b77

SHA512
53f46714eb64deae4ba8fe14e05194e389609aea8149f150e0f8cde8d6a07e90ad53346f647306c115bdb5db82abd9bbaff902f6a9b42057afbb8363110bd900

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
1.2MB

MD5
8dfb1c6a1f935e45e6af3589f93ac5db

SHA1
6bbc45f19b2f96b4729e6b5ffea991f7e0e669a4

SHA256
65d6dd44518b733bd60b9b9b46256597bf6f6a98bf20428232f134329b7ab2fe

SHA512
a4efeb208fc70b1e802a3e6298dfa208b3540f4a71a0fcbdc6146c4dccb3bbee8d3218796808780c0c81a0c95c7524e7aefc68add8fc7be6e6731851ef843e14

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
1.2MB

MD5
ddbcde4669c4b5baf06c98d7d7ae2441

SHA1
32354fe8bcc5c3d4b5c5b8219b19ad6536fcc5bf

SHA256
e7a338e53580e4011eecca80514fb69f786c78bc5d58c6adb8602a1bb5145c38

SHA512
39e52118653aa6a5ecd07a3863f6c2594562c75c3926cf910e30240ece50420440fdcb9c0c48e9f73233ca2e5bc5204beebf828bc69e7aa3f5031219a1df04f0

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
1.2MB

MD5
bd0b5e7f8bc4355b3cc4f587b09fd847

SHA1
cbf9d69b83017837c25a2242fca9a70bf4dce6b7

SHA256
ec535033c2b5cee0f2ff0b1c7ae4faeb0ecf523401892578d9f0c3599fa61ae1

SHA512
16e908508c0d049227dd6499b5598880e89cd4d7b5a930941844ad9600187a4fd84e1c1021ea810f924f5866db5321939ae85757477f33e95967198a2187d0fd

Download Submit
C:\Windows\SysWOW64\Ocjcidbb.dll

Filesize
7KB

MD5
72b1a043124a479d8d06ee54c049ad73

SHA1
c81cdb1762f9c225843769ab947d4629aa4cc59c

SHA256
a95e915ffa6b319d476c50fbdfd2c4d7baeb7023679aafa3ce4f01fd49c6e24d

SHA512
9ec0341ca43e63de96629fe45fc387273a0d8253614cb3d2fb641bad5558b317e011a172a9edfe1c0e1ff92d55c6ddef93cfc162b65fbf57e2a85e03871aa6f5

Download Submit
\Windows\SysWOW64\Fmjejphb.exe

Filesize
1.2MB

MD5
3dc2bd4e350ad6ac2bf1c64b7feee697

SHA1
14b9c19d4c9cea6342129a0f1daeeddc0946fd35

SHA256
f58c57643bda3306088994b13be863b23e64173a8af6389aa0c41b65b12c143d

SHA512
e7bf4bd3505cc16b67fdc793652ea2b91894ba9ee2d6bcabebcced7d7b9aed9fbc2c887f2267ddb4f3d2c2625dfb25630c4301834b235678ec368c3e97021c57

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
1.2MB

MD5
bfbc350e92b0069f3b94a9cf53a6e43f

SHA1
579e9546e2c9d866cb6e3545310c7e45da23f109

SHA256
e1799422141d7bc458479bdbe2a68247d54f1434e6ba8e981648d5686dc544ea

SHA512
c6fd44a6cd995f427397f7409dcc3793397cff3cc0ac6915f5d1ff1112d99268518012b790cf141bcf352f57945ccb50b5d62ca7e2ecb675bedc26c3f9c3e759

Download Submit
\Windows\SysWOW64\Hejoiedd.exe

Filesize
1.2MB

MD5
2477680631ab2334325315fbb5485f8f

SHA1
64fe68b5444f75c95f7082515519e5fa9c82cedd

SHA256
4cd61edf79a21dbbeecb74cd933e42cf03a207b0ad1146380204b51306672d32

SHA512
075a9e5fb9c67ed00f36c334d82be090b1b6dd01e6a29338835294fb886bfcd121291dc3a1ee205006a495ab0225fe0b468da22f3e9f983ae5e7be2dfa9c96de

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
1.2MB

MD5
28a5d367c57aa260a1c9932e2cb0b96c

SHA1
9236a3330fddd1a8c3c8fdc447d6793718c40a7d

SHA256
c7d26014eacff40c85139f1c11ac619c6bd59d84d5acf28eae1cee1e970bbadc

SHA512
ac4816527c0403fce3740d26cd47d538d0899eef63531591a014ee447c2543eb28aedca284edfdd4263ad59ce2ed0b7d8f58985fefeb577171ed19d7e32e68eb

Download Submit
memory/1364-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-182-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1520-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1520-155-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1580-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1580-111-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1580-178-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1580-177-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1616-136-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1616-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1620-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-78-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2484-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2524-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2620-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-37-0x0000000000360000-0x00000000003A2000-memory.dmp

Filesize
264KB

Download
memory/2676-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-98-0x0000000001F80000-0x0000000001FC2000-memory.dmp

Filesize
264KB

Download
memory/2832-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2832-175-0x0000000001F80000-0x0000000001FC2000-memory.dmp

Filesize
264KB

Download
memory/2832-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-97-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2872-18-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2872-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2872-6-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2932-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2932-22-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2932-33-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.