59421b48a33362c2af2a0caa57c2e47f40b667183f09668f6d1f59bd28deb8cf

General

Target

5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Size

551KB
MD5

5c1398a02864b2ae53a7f60b2aa5c520
SHA1

c95f93edb31854f617c5a4cf4443f465f7851e02
SHA256

59421b48a33362c2af2a0caa57c2e47f40b667183f09668f6d1f59bd28deb8cf
SHA512

874201faaa8ac1dfdd6f13f09eba02d3e41ac9521b3742ad5a6e8a628572e2f557081b86872c578ba97e197762e1cef8b03d23d934191c4c14a6465b3f9de259
SSDEEP

6144:kVZX/LIdtN5CPXbo92ynnZlVrtv35CPXbo92ynn8sbeWDj9GQeqV05CPXbo92ync:kVidFHRFbe2GQuFHRFbeN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe

Executes dropped EXE 5 IoCs

pid	Process
3844	Ngedij32.exe
3356	Njcpee32.exe
1964	Nqmhbpba.exe
4428	Ncldnkae.exe
3668	Nkcmohbg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	3668	WerFault.exe	87

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3844	1744	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe	83
PID 1744 wrote to memory of 3844	1744	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe	83
PID 1744 wrote to memory of 3844	1744	5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe	83
PID 3844 wrote to memory of 3356	3844	Ngedij32.exe	84
PID 3844 wrote to memory of 3356	3844	Ngedij32.exe	84
PID 3844 wrote to memory of 3356	3844	Ngedij32.exe	84
PID 3356 wrote to memory of 1964	3356	Njcpee32.exe	85
PID 3356 wrote to memory of 1964	3356	Njcpee32.exe	85
PID 3356 wrote to memory of 1964	3356	Njcpee32.exe	85
PID 1964 wrote to memory of 4428	1964	Nqmhbpba.exe	86
PID 1964 wrote to memory of 4428	1964	Nqmhbpba.exe	86
PID 1964 wrote to memory of 4428	1964	Nqmhbpba.exe	86
PID 4428 wrote to memory of 3668	4428	Ncldnkae.exe	87
PID 4428 wrote to memory of 3668	4428	Ncldnkae.exe	87
PID 4428 wrote to memory of 3668	4428	Ncldnkae.exe	87

C:\Users\Admin\AppData\Local\Temp\5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c1398a02864b2ae53a7f60b2aa5c520_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\Ngedij32.exe
  C:\Windows\system32\Ngedij32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\Njcpee32.exe
    C:\Windows\system32\Njcpee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Windows\SysWOW64\Nqmhbpba.exe
      C:\Windows\system32\Nqmhbpba.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        6⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 408
        7⤵
        Program crash
        
        PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 3668
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
551KB

MD5
13984807f15350f3902953ba86f4ee40

SHA1
a5eda60355be69c0b17b9791c683aea546f54db5

SHA256
1fccbdf3e5faa5e48ed5c32e5514447181355c10d9a81ccaf63ea1c0d2508cf2

SHA512
2862ed8c726e522192bc95c24b297b214c9cfb05b9a24a3d91887ab923660c581a8f8e3e98251c3296be95d6c2cbc8a3a7a5f3f524c8e951158ef293e0c1c15b

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
551KB

MD5
12e14f5d3b9fce128ad6c9befa20bd78

SHA1
20b4042b910fba418aeecdc5e62470f2dd47c512

SHA256
206e3853fc91cb62ee16fe2d54e114d6dd649c0453454f035cd8e751a8efdf2e

SHA512
d5d9d6e0c2105b3f9749385fdd381369f1669b3d1eeb1ad0db70d1f6f8ff4acf90a181e6f3f7d51eeea2e811ed2989a2ee83a53b44d501875080a1658447f7b7

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
551KB

MD5
b758a6e2f7788f39c31d106ca039631d

SHA1
d7c3e58da92988f165bbc749bb79f712f8da2e44

SHA256
7ec83b1d53fda196201a0aab99e7820c311195a09e3b1d28cdbc8bd73e7be9ad

SHA512
176536f5171f3d279b36202a4f5fefc74750d3be1f3a6529aae22979c2551ea35e72d5f034d78d90ed9fcc95ebfded939a5b55d52a2047771a2245154f925665

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
551KB

MD5
a6844c92587ba20432a49506cfdbbac3

SHA1
f50527656ed0bd3d1eebc938a11a55f09db61777

SHA256
6242717fe9cfb5293a08ddcbbfb8044721b27336e9d75be3fa02b6f1c7d1532c

SHA512
4e6743303f46b3912e6ce03a343f3a2e249f74009bc3aa3077e5e302bc69c6db77da3f8e87c83a3425692a701f48c575f2ba6ccbb66d64ec47bb105211cd6f87

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
551KB

MD5
084147ff6c3a9dae4098bdc9ae1c5239

SHA1
e89c7a734a4696cf863e38dbff7cc895b53a406a

SHA256
bc5f856fb70cc028e0aa8b6caf5fc19aebb120d80a53d4e2eedc39efacb4f576

SHA512
275519e48d5b62f7a8ec7ec234795d013a322a0eeb2b07de0d9d4f99de8019397d6d6402675a9e5aa3ff964eb620dd6c022d71b307a2e128747c62aad1feb0d4

Download Submit
memory/1744-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1744-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads