gozi | f46c5b2a921e24e7288efc94968e2a75ddf664a9f8a62b491fe2fa94dac253f8

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Size

163KB
MD5

9ec24a27d113dba8c864075094f03340
SHA1

d539043d873b41b3bc8780a5f3152b82c67c796d
SHA256

f46c5b2a921e24e7288efc94968e2a75ddf664a9f8a62b491fe2fa94dac253f8
SHA512

0da89fd0d84097e8a49723bfefd634238240fbeb783fce03ffc95b3476d7539b779e3077aa531fe75521570cbb89ace3401c84c4a26bcd1679ee4d1d01c53869
SSDEEP

1536:PfWYzUFkfBJfc45tGqS3Leo4c3Nf1lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:oE1LDno42tltOrWKDBr+yJb

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hobcak32.exeHjjddchg.exeHogmmjfo.exeIlknfn32.exeHpmgqnfl.exeGddifnbk.exeHellne32.exeIeqeidnl.exe9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exeHhmepp32.exeHpkjko32.exeHnagjbdf.exeHhjhkq32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 13 IoCs

Processes:

Gddifnbk.exeHpkjko32.exeHpmgqnfl.exeHnagjbdf.exeHobcak32.exeHellne32.exeHhjhkq32.exeHjjddchg.exeHhmepp32.exeHogmmjfo.exeIeqeidnl.exeIlknfn32.exeIagfoe32.exe

pid	process
2200	Gddifnbk.exe
2112	Hpkjko32.exe
2552	Hpmgqnfl.exe
2516	Hnagjbdf.exe
2536	Hobcak32.exe
2420	Hellne32.exe
1156	Hhjhkq32.exe
2772	Hjjddchg.exe
2920	Hhmepp32.exe
3020	Hogmmjfo.exe
2388	Ieqeidnl.exe
2468	Ilknfn32.exe
2760	Iagfoe32.exe

Loads dropped DLL 30 IoCs

Processes:

9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exeGddifnbk.exeHpkjko32.exeHpmgqnfl.exeHnagjbdf.exeHobcak32.exeHellne32.exeHhjhkq32.exeHjjddchg.exeHhmepp32.exeHogmmjfo.exeIeqeidnl.exeIlknfn32.exeWerFault.exe

pid	process
1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
2200	Gddifnbk.exe
2200	Gddifnbk.exe
2112	Hpkjko32.exe
2112	Hpkjko32.exe
2552	Hpmgqnfl.exe
2552	Hpmgqnfl.exe
2516	Hnagjbdf.exe
2516	Hnagjbdf.exe
2536	Hobcak32.exe
2536	Hobcak32.exe
2420	Hellne32.exe
2420	Hellne32.exe
1156	Hhjhkq32.exe
1156	Hhjhkq32.exe
2772	Hjjddchg.exe
2772	Hjjddchg.exe
2920	Hhmepp32.exe
2920	Hhmepp32.exe
3020	Hogmmjfo.exe
3020	Hogmmjfo.exe
2388	Ieqeidnl.exe
2388	Ieqeidnl.exe
2468	Ilknfn32.exe
2468	Ilknfn32.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe
1312	WerFault.exe

Drops file in System32 directory 39 IoCs

Processes:

9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exeHnagjbdf.exeHjjddchg.exeHpkjko32.exeHellne32.exeHhjhkq32.exeHpmgqnfl.exeHobcak32.exeGddifnbk.exeIeqeidnl.exeIlknfn32.exeHhmepp32.exeHogmmjfo.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Gddifnbk.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Codpklfq.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hobcak32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 2760 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
1312	2760	WerFault.exe	Iagfoe32.exe

Modifies registry class 42 IoCs

Processes:

Hellne32.exeHjjddchg.exeHogmmjfo.exeHobcak32.exeHnagjbdf.exeIlknfn32.exeHpmgqnfl.exeHpkjko32.exe9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exeHhjhkq32.exeHhmepp32.exeIeqeidnl.exeGddifnbk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

description	pid	process	target process
PID 1928 wrote to memory of 2200	1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe	Gddifnbk.exe
PID 1928 wrote to memory of 2200	1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe	Gddifnbk.exe
PID 1928 wrote to memory of 2200	1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe	Gddifnbk.exe
PID 1928 wrote to memory of 2200	1928	9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe	Gddifnbk.exe
PID 2200 wrote to memory of 2112	2200	Gddifnbk.exe	Hpkjko32.exe
PID 2200 wrote to memory of 2112	2200	Gddifnbk.exe	Hpkjko32.exe
PID 2200 wrote to memory of 2112	2200	Gddifnbk.exe	Hpkjko32.exe
PID 2200 wrote to memory of 2112	2200	Gddifnbk.exe	Hpkjko32.exe
PID 2112 wrote to memory of 2552	2112	Hpkjko32.exe	Hpmgqnfl.exe
PID 2112 wrote to memory of 2552	2112	Hpkjko32.exe	Hpmgqnfl.exe
PID 2112 wrote to memory of 2552	2112	Hpkjko32.exe	Hpmgqnfl.exe
PID 2112 wrote to memory of 2552	2112	Hpkjko32.exe	Hpmgqnfl.exe
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	Hnagjbdf.exe
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	Hnagjbdf.exe
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	Hnagjbdf.exe
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	Hnagjbdf.exe
PID 2516 wrote to memory of 2536	2516	Hnagjbdf.exe	Hobcak32.exe
PID 2516 wrote to memory of 2536	2516	Hnagjbdf.exe	Hobcak32.exe
PID 2516 wrote to memory of 2536	2516	Hnagjbdf.exe	Hobcak32.exe
PID 2516 wrote to memory of 2536	2516	Hnagjbdf.exe	Hobcak32.exe
PID 2536 wrote to memory of 2420	2536	Hobcak32.exe	Hellne32.exe
PID 2536 wrote to memory of 2420	2536	Hobcak32.exe	Hellne32.exe
PID 2536 wrote to memory of 2420	2536	Hobcak32.exe	Hellne32.exe
PID 2536 wrote to memory of 2420	2536	Hobcak32.exe	Hellne32.exe
PID 2420 wrote to memory of 1156	2420	Hellne32.exe	Hhjhkq32.exe
PID 2420 wrote to memory of 1156	2420	Hellne32.exe	Hhjhkq32.exe
PID 2420 wrote to memory of 1156	2420	Hellne32.exe	Hhjhkq32.exe
PID 2420 wrote to memory of 1156	2420	Hellne32.exe	Hhjhkq32.exe
PID 1156 wrote to memory of 2772	1156	Hhjhkq32.exe	Hjjddchg.exe
PID 1156 wrote to memory of 2772	1156	Hhjhkq32.exe	Hjjddchg.exe
PID 1156 wrote to memory of 2772	1156	Hhjhkq32.exe	Hjjddchg.exe
PID 1156 wrote to memory of 2772	1156	Hhjhkq32.exe	Hjjddchg.exe
PID 2772 wrote to memory of 2920	2772	Hjjddchg.exe	Hhmepp32.exe
PID 2772 wrote to memory of 2920	2772	Hjjddchg.exe	Hhmepp32.exe
PID 2772 wrote to memory of 2920	2772	Hjjddchg.exe	Hhmepp32.exe
PID 2772 wrote to memory of 2920	2772	Hjjddchg.exe	Hhmepp32.exe
PID 2920 wrote to memory of 3020	2920	Hhmepp32.exe	Hogmmjfo.exe
PID 2920 wrote to memory of 3020	2920	Hhmepp32.exe	Hogmmjfo.exe
PID 2920 wrote to memory of 3020	2920	Hhmepp32.exe	Hogmmjfo.exe
PID 2920 wrote to memory of 3020	2920	Hhmepp32.exe	Hogmmjfo.exe
PID 3020 wrote to memory of 2388	3020	Hogmmjfo.exe	Ieqeidnl.exe
PID 3020 wrote to memory of 2388	3020	Hogmmjfo.exe	Ieqeidnl.exe
PID 3020 wrote to memory of 2388	3020	Hogmmjfo.exe	Ieqeidnl.exe
PID 3020 wrote to memory of 2388	3020	Hogmmjfo.exe	Ieqeidnl.exe
PID 2388 wrote to memory of 2468	2388	Ieqeidnl.exe	Ilknfn32.exe
PID 2388 wrote to memory of 2468	2388	Ieqeidnl.exe	Ilknfn32.exe
PID 2388 wrote to memory of 2468	2388	Ieqeidnl.exe	Ilknfn32.exe
PID 2388 wrote to memory of 2468	2388	Ieqeidnl.exe	Ilknfn32.exe
PID 2468 wrote to memory of 2760	2468	Ilknfn32.exe	Iagfoe32.exe
PID 2468 wrote to memory of 2760	2468	Ilknfn32.exe	Iagfoe32.exe
PID 2468 wrote to memory of 2760	2468	Ilknfn32.exe	Iagfoe32.exe
PID 2468 wrote to memory of 2760	2468	Ilknfn32.exe	Iagfoe32.exe
PID 2760 wrote to memory of 1312	2760	Iagfoe32.exe	WerFault.exe
PID 2760 wrote to memory of 1312	2760	Iagfoe32.exe	WerFault.exe
PID 2760 wrote to memory of 1312	2760	Iagfoe32.exe	WerFault.exe
PID 2760 wrote to memory of 1312	2760	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ec24a27d113dba8c864075094f03340_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\Gddifnbk.exe
C:\Windows\system32\Gddifnbk.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\Hpkjko32.exe
C:\Windows\system32\Hpkjko32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\Hnagjbdf.exe
C:\Windows\system32\Hnagjbdf.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\Hellne32.exe
C:\Windows\system32\Hellne32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\Hhjhkq32.exe
C:\Windows\system32\Hhjhkq32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\Hjjddchg.exe
C:\Windows\system32\Hjjddchg.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 140
15⤵
- Loads dropped DLL
- Program crash
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hellne32.exe

Filesize
163KB

MD5
32d7537e6091e6c7f59aaa90bf7b3bc7

SHA1
4b37c0a0019442d49e234a63af038e4e10dd9493

SHA256
c4e94a6f2af2a0771a04142378fc2791f2a7332fd4c1ba78e48effb0cf583a7c

SHA512
468c184575823fa61caa8b2960d69261c83f285ec7845a9be8633b9b6df118e9979909e8cd0f56198e61f0ae85950d4c70896d035fd479a422f4fcacc3fae733

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
163KB

MD5
44a8aa103ff26555a30fefd32e48e1c3

SHA1
68fca4ec94f277e1393aa23ce02cda84584d63c2

SHA256
ac46a5335e697ffe9bb5dee25e2917b3923da5de1485dce3c3fa9f4273e44046

SHA512
adf7f2e5c9ec1566eab8aca961393c6b0a8707adf697fc2d89cd02b50fa86962274bbb1f95ea754b970249bb6315eb1560ae82498a1cdfa8f8f68776e87909be

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
163KB

MD5
c53298f6c1954e78955972c91dffa5b0

SHA1
b5dbd3e43a4b5f0470916d7ffb6f0aca5b5655fe

SHA256
ca51e1bdb67d5f0833637c64a6e3ab0012ad7dbace49ed431b0f2fc0a60fa2e8

SHA512
421c2ccb8300ccda20b44fd4390835473af0f58cae02419210cc4e394282979c993f29a064b2fa055aed72f6472f63bc539adf7c7ecf13c497203e4d70f9c159

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
163KB

MD5
26c3c936e72dcb449ea7c07ae78a5bfb

SHA1
0741b5cafe7ae5b84e8f7bb4e650be87d1710f89

SHA256
f69c79afb0afbd0fda1bf28aa66fefde79844b0027362483bcf7eafdf3188cd9

SHA512
b8aa62d1db01acf2dcd7c0ea8f20604e59824b8ef7b7b172c44b8687aa61d4b4eeb2b658a6517bee12beb9b1aaa70b76de4097c60222bb97b9b5d161ae305939

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
163KB

MD5
9e8cb0ed2dd567f28cb33203407500c9

SHA1
956af77f8d79fd3ef85993e74759d562f3486196

SHA256
773ef326226980b65730f364f08fa9a4bc2a74b30f0ccac77952f0810781a86d

SHA512
1f6d22790491aa7103c7093897ca2d6c521d3ba96a966246e5b556de6a43fcf0d897c02857199036f4a32ed04707d532492fe13538e10488db48ae8138f2ceca

Download Submit
\Windows\SysWOW64\Hhjhkq32.exe

Filesize
163KB

MD5
0f5ef2d465b248c765789eb1145ebd95

SHA1
5f15750e2a67e29ca7cc71fe44c75db5e682b6e0

SHA256
c98fc4c6cd38a5e5d557d9ece217e6ea7524fe264158ce0c411e7c39817af79e

SHA512
f4f0d9dbc367a80d4f258f037f573ad3a56d65b5b660290bcc1fbe7f123e9f9ee83ff5ac62923ff6bb8620149d75cb32a0ab8cc5133e629bbb88bfb374212437

Download Submit
\Windows\SysWOW64\Hjjddchg.exe

Filesize
163KB

MD5
c9e1b450ebe2bfdb09ed322f347d02ee

SHA1
081788c021cb447f9707e35883d95564cef03a78

SHA256
938a848967fdac1b8345802f75da293b1148498b35b141661e8d7379e1583592

SHA512
dd1f934d5d75ad13375f337cbcf5611bc0685a3fb4d5074775a0e74563aa41c802e9e1c1c6f82df3fa3f7b1364b00e68196e71a86278e5cbaa9c09acb27b5d0b

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
163KB

MD5
41321829cbca9c47214c160a81195e57

SHA1
7360b901c73140c9dcabeb471854b39c23e060c4

SHA256
fdb7ff4f139e8c433048d9c241d3966be7c7865adfaf419a01724c7f42f383e0

SHA512
268623cbb91119f237b5c446e387569862c29719ad2dd2527524af85e273d013c024866a0058776cabf4a644e776776239c3fb95afc2fb6ecf7a7a946a393e3c

Download Submit
\Windows\SysWOW64\Hobcak32.exe

Filesize
163KB

MD5
c3ad13440ee1dfb8fbfd5791587caa95

SHA1
0f3af46a72fb7b4580074440cda580fde43cffea

SHA256
c8d2792247f1466842e763fa70edc16f631ff7408f8cf48d7d538cf6f752d68b

SHA512
3887aa5cac806ae31faa701e74a59da39eeed2fd5546b1373a957c51a12d240586c870b44892b12fa241eddaf2ac255663d6515a10f4d56b792fd3968dc42500

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
163KB

MD5
6f89719de4f4f42445cbc6d768d4771c

SHA1
6552444ca29564ab79d21ec66aaa48438586bc06

SHA256
f26ed6ad3d53042e31867cc156bd8042c4c7cc302fbf2cc7649580064d201fba

SHA512
731fe408c16ca5b2dd47e716b761beb1ba8298905cdee85ef2c336c379455038cfd68b18dcc0aa52189c3a981558013930b2c17c304a8bbc662de2555216d1b6

Download Submit
\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
163KB

MD5
7b15efe1d3b73c38a737cfcf23403b65

SHA1
96741cf3d904c9816c87880a54d3ad340125e880

SHA256
030169587a3e09f9f8bdfec60f28645a52a95a541e0cb059dfea4607d7139b12

SHA512
3b8e49afe7960e3f1a99e4ffb460f01581a1e2c186d60a080a16f94bf1dd0abd3a7787525fe331622e4f6eaa46bc3de44489a4b0d50608584fa75ec3847c4481

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
163KB

MD5
24c44ec7fbe926a4ad2954ab63cb2f7c

SHA1
901b7198e59593917f3336d7c90d8bf32a0af40f

SHA256
073b40a40aff556bbe4b9408260d2064384370b3ce72d4243918fa8f4d59068c

SHA512
1095657e99ff5ce5955ae88debeea81dabd13fb91f6d75983986e23545ace5e8e25868427b6d8a194bac3be4e48aa74b4894f71e94ab9177a58ccc26db16f6d4

Download Submit
\Windows\SysWOW64\Ieqeidnl.exe

Filesize
163KB

MD5
984adf4512494d228837be9afc9b25b3

SHA1
813084e625efcdf29bddab8986ba55776c9cc5d7

SHA256
6f7ffaf2f018bb6dd432ea90a18eb2f5fa01678241cd497091f2e87f2fafc6db

SHA512
aa8f77a62ab891b8fe860fcbfbd7fff1fa0fd91acab94f1f3573475ca85bd0d45d4d4c9cc9faf2d0b61d85eff031cec48bf3f44b2619ff71767947a74307cfb1

Download Submit
memory/1156-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1156-92-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-207-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-6-0x0000000000310000-0x0000000000363000-memory.dmp

Filesize
332KB

Download
memory/2112-39-0x0000000000340000-0x0000000000393000-memory.dmp

Filesize
332KB

Download
memory/2112-211-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2112-27-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2200-26-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2200-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-229-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-157-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2388-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-84-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2420-219-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-159-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-233-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-167-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2516-61-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2516-53-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2516-215-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2536-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2552-213-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-173-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2772-111-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2772-223-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2772-118-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/2920-225-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3020-131-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3020-144-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/3020-227-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download