420e8fdcefc2bea9d25601137938b54055911a6948448d6efab39d9d3a128925

General

Target

20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Size

192KB
MD5

20c430090dc2b47ded461c738479c0f0
SHA1

e08ebd836b3977daa8623d4ab2576b28f4ee0f99
SHA256

420e8fdcefc2bea9d25601137938b54055911a6948448d6efab39d9d3a128925
SHA512

09e95cf36e2a91a8c8bb8e1b8bdccdc0c6b4dd6c9733723f09fab393c20d7cd119f9b94eb6c30e89677090d2ebe0c6a2472ab30c079a9ca4d400c92aba4f484b
SSDEEP

3072:cNTSH6uLkg4YsbSry3RHtqk3vN6outkTy27zU:wTg4h3RNqIl6oSkTl7zU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieqeidnl.exe

Executes dropped EXE 3 IoCs

pid	Process
2364	Hacmcfge.exe
2696	Ieqeidnl.exe
2560	Iagfoe32.exe

Loads dropped DLL 10 IoCs

pid	Process
2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
2364	Hacmcfge.exe
2364	Hacmcfge.exe
2696	Ieqeidnl.exe
2696	Ieqeidnl.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe
2768	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ieqeidnl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2560	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2364	2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2364	2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2364	2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe	28
PID 2728 wrote to memory of 2364	2728	20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe	28
PID 2364 wrote to memory of 2696	2364	Hacmcfge.exe	29
PID 2364 wrote to memory of 2696	2364	Hacmcfge.exe	29
PID 2364 wrote to memory of 2696	2364	Hacmcfge.exe	29
PID 2364 wrote to memory of 2696	2364	Hacmcfge.exe	29
PID 2696 wrote to memory of 2560	2696	Ieqeidnl.exe	30
PID 2696 wrote to memory of 2560	2696	Ieqeidnl.exe	30
PID 2696 wrote to memory of 2560	2696	Ieqeidnl.exe	30
PID 2696 wrote to memory of 2560	2696	Ieqeidnl.exe	30
PID 2560 wrote to memory of 2768	2560	Iagfoe32.exe	31
PID 2560 wrote to memory of 2768	2560	Iagfoe32.exe	31
PID 2560 wrote to memory of 2768	2560	Iagfoe32.exe	31
PID 2560 wrote to memory of 2768	2560	Iagfoe32.exe	31

C:\Users\Admin\AppData\Local\Temp\20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\20c430090dc2b47ded461c738479c0f0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Hacmcfge.exe
  C:\Windows\system32\Hacmcfge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\Ieqeidnl.exe
    C:\Windows\system32\Ieqeidnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Iagfoe32.exe
      C:\Windows\system32\Iagfoe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
192KB

MD5
b802ec7478eea4e87af90002c87a2bab

SHA1
1beec2965f31036c6405aa69935755eb9d8cf714

SHA256
97595262efae6458d0ab18290a5804f199c1bf8720bec870ce6cf7370c06fb85

SHA512
a77af00ae4985ac524b44a0a4780d9432c27a7ddce6b5fef408c538a91f18de2fd8ed070395b55454a4766d7834937d39bbc3494e3a4bf850d2987bf15b3a280

Download Submit
\Windows\SysWOW64\Hacmcfge.exe

Filesize
192KB

MD5
bec67a9a2de12bfeb633416cb46e1ce8

SHA1
82f4a7b6558b503b7811ad916d1d1dafc6293a7c

SHA256
1c676449afa517dc41f39b190ad19ef8910c338fad9a7823f737ec271163ae4f

SHA512
9e291944eaafbaa2f75e7087ece3daf9e01952d81d8c8420e55d4bbdcc7262fa8210e564336108b4c6daab44eb6ba3a283c26465ad8cdd3eda4daef0f1dd3ff6

Download Submit
\Windows\SysWOW64\Ieqeidnl.exe

Filesize
192KB

MD5
f512857756cfff487784f95535845a82

SHA1
4cae4e7f9c37494e46c2770f1e23f98e538eaf74

SHA256
12dacebbba34691e1e7ad157ec0ea9ae548bc97a652e3d7ede0e05376c7307d1

SHA512
21a48b9005aed83c9535d6f9540c57f381ae69e16272569ee01ee87c0bd08849213cb13df5be811b818e03e662237a1273deaa80b7c0c6228cb2e0f28f2200bc

Download Submit
memory/2364-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-21-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2560-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-41-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2696-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-40-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2696-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-13-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2728-6-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads