cf7dbdf018e4f3d2507dd6d0028a939c418c0aa4230da1070a0dd324d980b767

General

Target

b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Size

479KB
MD5

b7df08711da06fc9ad1c594ef23ba9d0
SHA1

f541f777d603a1680a207fa6d4118fecc771d55f
SHA256

cf7dbdf018e4f3d2507dd6d0028a939c418c0aa4230da1070a0dd324d980b767
SHA512

2c48f3dd1ca75ae057e3c1b426ad1c2b1c72cd5153d216b27daebc77d8c4db3374fd3de00b19f3b2cebedb9e2022d9661316d4c8e0092474e87714b526db7ee9
SSDEEP

6144:hGTDUppmzyPOwXYrMdlvkGr0f+uPOwXYrMdl2MPnhd8+ZDI:htChwIaJwISfPI

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	Ncldnkae.exe
1812	Nkcmohbg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncldnkae.exe	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4532	1812	WerFault.exe	83

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3276	4728	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe	82
PID 4728 wrote to memory of 3276	4728	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe	82
PID 4728 wrote to memory of 3276	4728	b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe	82
PID 3276 wrote to memory of 1812	3276	Ncldnkae.exe	83
PID 3276 wrote to memory of 1812	3276	Ncldnkae.exe	83
PID 3276 wrote to memory of 1812	3276	Ncldnkae.exe	83

C:\Users\Admin\AppData\Local\Temp\b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7df08711da06fc9ad1c594ef23ba9d0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\Ncldnkae.exe
  C:\Windows\system32\Ncldnkae.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    - Executes dropped EXE
    PID:1812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 400
      4⤵
      Program crash
      PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1812 -ip 1812
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
479KB

MD5
bad97e82a59c3f6b24bf1feaeaaeb6b4

SHA1
188332efa89138c8e9e595232aa648762fa93c1b

SHA256
1d7642d7ea585b48f56a79e8bac282ab3ef8f3c143e60fb4aa3b52c06d555cfa

SHA512
9b517dc6b7462c50811cb7b7cdcde96a7709d765973acf6264ae17bcb2075d53ca619295126ba0d79ae27438e9ad032048ff0cccafeebf89a8a7cea87813fc6d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
479KB

MD5
1a62c3f420e58be4e86ce17efa68404f

SHA1
8722ad3d80f773050da0d46ac1ecb037e032dd3a

SHA256
86449b222f9df27875e182ef57a64607624627eaaabed8784b6d7819b6285700

SHA512
5ec4ef430283f172dcf6db3aae965bf7d74fcfeb95a077d80954b4796c782cf50cb24c020e02ced9173c13865b02d955fcbbc9ca604cec8dcdde316fb44598e9

Download Submit
memory/1812-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4728-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads