55ae0f102ce2544bbf007a55e06b88cad62be40e89c726494478922198e87978

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Size

128KB
MD5

140549cfa8703b51a0df50e512f5f7c0
SHA1

34f7f61217d608fab36f55cafec5ca532dc37371
SHA256

55ae0f102ce2544bbf007a55e06b88cad62be40e89c726494478922198e87978
SHA512

a9829b1ed914f89f89acbdccb0721969984d70c8b83a3ba199645c7ee199f283e8a0d6ff01298ca6aceadd8b066445802242c0a8bc4d66269624a150d2a90f88
SSDEEP

3072:Lzum0PZbwtlK2hM/fz3XrmW2wS7IrHrYj:fxeInuXT7mHwMOHm

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpapln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe

Malware Dropper & Backdoor - Berbew 9 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x00080000000122cd-5.dat	family_berbew
behavioral1/files/0x00080000000161e7-18.dat	family_berbew
behavioral1/files/0x0007000000016572-32.dat	family_berbew
behavioral1/files/0x0007000000016843-45.dat	family_berbew
behavioral1/files/0x0006000000016e94-58.dat	family_berbew
behavioral1/files/0x0006000000017052-72.dat	family_berbew
behavioral1/files/0x00060000000173d8-85.dat	family_berbew
behavioral1/files/0x0006000000017456-98.dat	family_berbew
behavioral1/files/0x000600000001747d-111.dat	family_berbew

Executes dropped EXE 9 IoCs

pid	Process
2216	Hiqbndpb.exe
2112	Hgdbhi32.exe
2552	Hpmgqnfl.exe
2516	Hpocfncj.exe
2536	Hjhhocjj.exe
1520	Hpapln32.exe
1720	Hkkalk32.exe
2780	Ihoafpmp.exe
2956	Iagfoe32.exe

Loads dropped DLL 22 IoCs

pid	Process
2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
2216	Hiqbndpb.exe
2216	Hiqbndpb.exe
2112	Hgdbhi32.exe
2112	Hgdbhi32.exe
2552	Hpmgqnfl.exe
2552	Hpmgqnfl.exe
2516	Hpocfncj.exe
2516	Hpocfncj.exe
2536	Hjhhocjj.exe
2536	Hjhhocjj.exe
1520	Hpapln32.exe
1520	Hpapln32.exe
1720	Hkkalk32.exe
1720	Hkkalk32.exe
2780	Ihoafpmp.exe
2780	Ihoafpmp.exe
1376	WerFault.exe
1376	WerFault.exe
1376	WerFault.exe
1376	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hiqbndpb.exe	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Omabcb32.dll	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Glqllcbf.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hiqbndpb.exe	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hkkalk32.exe	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Cnkajfop.dll	Hiqbndpb.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hpmgqnfl.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hkkalk32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Ejdmpb32.dll	Hpapln32.exe
File opened for modification	C:\Windows\SysWOW64\Hpapln32.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Hkkalk32.exe	Hpapln32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hkkalk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1376	2956	WerFault.exe	36

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hkkalk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omabcb32.dll"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpapln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiqbndpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hiqbndpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdmpb32.dll"	Hpapln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkkalk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glqllcbf.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2216	2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2216	2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2216	2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2216	2192	140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2112	2216	Hiqbndpb.exe	29
PID 2216 wrote to memory of 2112	2216	Hiqbndpb.exe	29
PID 2216 wrote to memory of 2112	2216	Hiqbndpb.exe	29
PID 2216 wrote to memory of 2112	2216	Hiqbndpb.exe	29
PID 2112 wrote to memory of 2552	2112	Hgdbhi32.exe	30
PID 2112 wrote to memory of 2552	2112	Hgdbhi32.exe	30
PID 2112 wrote to memory of 2552	2112	Hgdbhi32.exe	30
PID 2112 wrote to memory of 2552	2112	Hgdbhi32.exe	30
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	31
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	31
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	31
PID 2552 wrote to memory of 2516	2552	Hpmgqnfl.exe	31
PID 2516 wrote to memory of 2536	2516	Hpocfncj.exe	32
PID 2516 wrote to memory of 2536	2516	Hpocfncj.exe	32
PID 2516 wrote to memory of 2536	2516	Hpocfncj.exe	32
PID 2516 wrote to memory of 2536	2516	Hpocfncj.exe	32
PID 2536 wrote to memory of 1520	2536	Hjhhocjj.exe	33
PID 2536 wrote to memory of 1520	2536	Hjhhocjj.exe	33
PID 2536 wrote to memory of 1520	2536	Hjhhocjj.exe	33
PID 2536 wrote to memory of 1520	2536	Hjhhocjj.exe	33
PID 1520 wrote to memory of 1720	1520	Hpapln32.exe	34
PID 1520 wrote to memory of 1720	1520	Hpapln32.exe	34
PID 1520 wrote to memory of 1720	1520	Hpapln32.exe	34
PID 1520 wrote to memory of 1720	1520	Hpapln32.exe	34
PID 1720 wrote to memory of 2780	1720	Hkkalk32.exe	35
PID 1720 wrote to memory of 2780	1720	Hkkalk32.exe	35
PID 1720 wrote to memory of 2780	1720	Hkkalk32.exe	35
PID 1720 wrote to memory of 2780	1720	Hkkalk32.exe	35
PID 2780 wrote to memory of 2956	2780	Ihoafpmp.exe	36
PID 2780 wrote to memory of 2956	2780	Ihoafpmp.exe	36
PID 2780 wrote to memory of 2956	2780	Ihoafpmp.exe	36
PID 2780 wrote to memory of 2956	2780	Ihoafpmp.exe	36
PID 2956 wrote to memory of 1376	2956	Iagfoe32.exe	37
PID 2956 wrote to memory of 1376	2956	Iagfoe32.exe	37
PID 2956 wrote to memory of 1376	2956	Iagfoe32.exe	37
PID 2956 wrote to memory of 1376	2956	Iagfoe32.exe	37

C:\Users\Admin\AppData\Local\Temp\140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\140549cfa8703b51a0df50e512f5f7c0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\Hiqbndpb.exe
  C:\Windows\system32\Hiqbndpb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Hgdbhi32.exe
    C:\Windows\system32\Hgdbhi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\SysWOW64\Hpmgqnfl.exe
      C:\Windows\system32\Hpmgqnfl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hpapln32.exe
        
        C:\Windows\system32\Hpapln32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Hkkalk32.exe
        
        C:\Windows\system32\Hkkalk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fenhecef.dll

Filesize
7KB

MD5
4077c1328171ddc71525ea95622b11bf

SHA1
f1dc2a9091df825640471a9a4265df45cdf39943

SHA256
42fb27c58315771b57442af7bbbf1c1083bb982e4e73ea7c1e5aeffd0eb6ffb2

SHA512
1a669a8d2896e2540aaa7b55a2d68240a25201e9605a8e5dd45be88439dbd97ab26a6a538e405ce326f7585c03705295d8eb7018184f7b5848883de91b6b4bd5

Download Submit
\Windows\SysWOW64\Hgdbhi32.exe

Filesize
128KB

MD5
001ebb0e531f5d4aacc8d670a97912cf

SHA1
8eb11f2cd9dfffaf502ed1472e238fd23194afc7

SHA256
ace33e62acf8612443e98a21ab3d263bff610db86b87e27ebe105a1d278b0247

SHA512
c8e3bd9ed1bdf995ee36df6e0625c634a8b6685dbf87f179a14d47d6200a8c7470404e3fa73e8f8e88cf8d79e8499cf86bffa0985d4852d6c5365526e33afa68

Download Submit
\Windows\SysWOW64\Hiqbndpb.exe

Filesize
128KB

MD5
71568faeeb5b7626788c747cd98b7b39

SHA1
b9f86151a6fe112265e46652320a794c2b9e2218

SHA256
195fbd2c38e6d0cc42bd01f3d76dccef48a14db5ba9a0516e84beba8e1836164

SHA512
6a6a253e0ffef7fc6f322b737c84d4d47cc7a4f31f397b6f93f0270b5bcd9387cc5fa3c8353091f6940508dd72a41e2a1e05dbb392bb3033bdeeddb14d322fce

Download Submit
\Windows\SysWOW64\Hjhhocjj.exe

Filesize
128KB

MD5
5ee1362cc38ba68c2d473b0863846b71

SHA1
fd69a85d269a71bd54f491e9e84149efd2be7ed4

SHA256
333873efc555076006290038fc3bf01e0ac245c8715dc60b65c8fd0694f1a9e7

SHA512
367d374a23f0c08b136895c5446d6a457fc354f74033d8d00664a2e293d1882bb8dd509609e3786a66681485ce8666d41c4b5b3b0199f8555153b167fb4c7d7a

Download Submit
\Windows\SysWOW64\Hkkalk32.exe

Filesize
128KB

MD5
b0c8b793e64e171385a2e4f070e76ae1

SHA1
20c5362ec6ff8a633d4e9c8ea15ed034a1a90db1

SHA256
5a649fdcad9b1f12e1ab9ca54f3328f647da49060653122123b7f357e1f9f2b7

SHA512
ad4a20c5cc01d8f105ecf1547bcccb105afed0ab96fef6a9016112e0ce1441f973d6125a742ce6a84ea87022b927069fa88856f38d6a9940f75952ffd99dd7cd

Download Submit
\Windows\SysWOW64\Hpapln32.exe

Filesize
128KB

MD5
b8f8cc8bdc1cb901336de99ae83cc5e0

SHA1
f94faaade8024d775499271e87732c58300630a8

SHA256
63b195a4fd296d3c24fc35f72500aa922c32b6e8da18f6e16c95f49adc094849

SHA512
b7dcc6fd845036410fa231ed33b5196d0868123763d27a03468f30ac6758ab469d15f0818fde011c01a44ebaaedab21d840ce099b48c7cb65696b833a0645f6f

Download Submit
\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
128KB

MD5
ba003d36b85c9565c4a5f4de19fde1b5

SHA1
3511deb61b7dc06aa8f3736eb8be078472bde4b4

SHA256
7b4fc593f5e5002de4ed22d887bed6d4fe491def7ea58b27e2bccf72e8a53e93

SHA512
40a88f4a34f5c39cd70873e719db75f7ecaec10568d35ab39cee6f77db9ba68c4f882e514865e3fbddf6016d4620ce9a744f3b260ced8f4d3d7136b20f6f6eb5

Download Submit
\Windows\SysWOW64\Hpocfncj.exe

Filesize
128KB

MD5
60b522a6b82ac3e256251fb0b3815583

SHA1
4f57ddb575308280574e697ccf293264f8c0e02e

SHA256
c09aa572e888885384c8fe0bdbe61a33bf951716464f2e12a32bcccd39ee5303

SHA512
eff63815a32b4aeaa6519f02688a312e4436b78d5da107b32484ffdacb9e4a979f18808666dcfd72de9d6b95efc0ca44d5ac45718063b8350d0fa979472bea4d

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
128KB

MD5
5256e2483a5589a468431392b10dd712

SHA1
c548e363f4e3ded9634d28d1b7e756b7c86e6728

SHA256
15bd631ec5f966e848d16e173b47a26db21e08e0941d7a5cf304947d19e1c8db

SHA512
8a60b2797d10255af107031568789d113d45d09b0c33566399bb55f3a00b992484e1a4c83290614dd5223d0f140898b9475c3bdcf8b1156e880b97a75098bb70

Download Submit
\Windows\SysWOW64\Ihoafpmp.exe

Filesize
128KB

MD5
dd55121d6f5d215df769cdd2ac48e466

SHA1
bab4290acd5c4660146b5d4cc9bc2c600f1c7c70

SHA256
53683a4582bb316d0412e95f6411ddd9b9949d74bbe2d5c6870c56ea3531f55b

SHA512
ee80ef13c3fe6e0c5841b7ff95d76abbaac4b3cd5a40162946f3dd5e91cfbacb84dcf4d0b28f89666e5129c199890c849b5e1f0eae6de61a1d80f295fca73826

Download Submit
memory/1520-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1520-87-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/1720-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-33-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2112-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-6-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2192-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-25-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2216-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-59-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2516-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-117-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2780-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads