29debe063942d570b4089eb30325c045287bfb6b10302a304c4ddbcc1405bec4

General

Target

2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Size

120KB
MD5

2569b917a3d444726b9f2966a7fffe60
SHA1

10637d0766ca167f4d98f4b1d715c5661b3dc804
SHA256

29debe063942d570b4089eb30325c045287bfb6b10302a304c4ddbcc1405bec4
SHA512

e274eb855d32b9f72ae027e5e1a859921c470496940ffc85cff48bdd6beed81491c52e3c9b382bcc3d78295e2f1814d876f19d2995dd1076c388ca562a449e21
SSDEEP

3072:HnLTFBl93f2AcukXZXVfT9wm5y/pMi/mjRrz3C:rT/L3f2AcJfj5KMi/GC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigdcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigdcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe

Executes dropped EXE 6 IoCs

pid	Process
1512	Nbnlfimp.exe
4256	Nigdcc32.exe
1892	Noalpmli.exe
3624	Nndlkj32.exe
1648	Oendhdjq.exe
4960	Ogmado32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File opened for modification	C:\Windows\SysWOW64\Nigdcc32.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Hqmbcjhk.dll	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Noalpmli.exe	Nigdcc32.exe
File created	C:\Windows\SysWOW64\Lfbpem32.dll	Noalpmli.exe
File created	C:\Windows\SysWOW64\Pmkcjf32.dll	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nigdcc32.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Noalpmli.exe	Nigdcc32.exe
File created	C:\Windows\SysWOW64\Jmfijb32.dll	Nigdcc32.exe
File opened for modification	C:\Windows\SysWOW64\Nndlkj32.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Nndlkj32.exe	Noalpmli.exe
File opened for modification	C:\Windows\SysWOW64\Oendhdjq.exe	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Oendhdjq.exe	Nndlkj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1240	4960	WerFault.exe	87

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigdcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbpem32.dll"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfijb32.dll"	Nigdcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkcjf32.dll"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nigdcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmbcjhk.dll"	Nbnlfimp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1512	1624	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe	82
PID 1624 wrote to memory of 1512	1624	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe	82
PID 1624 wrote to memory of 1512	1624	2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe	82
PID 1512 wrote to memory of 4256	1512	Nbnlfimp.exe	83
PID 1512 wrote to memory of 4256	1512	Nbnlfimp.exe	83
PID 1512 wrote to memory of 4256	1512	Nbnlfimp.exe	83
PID 4256 wrote to memory of 1892	4256	Nigdcc32.exe	84
PID 4256 wrote to memory of 1892	4256	Nigdcc32.exe	84
PID 4256 wrote to memory of 1892	4256	Nigdcc32.exe	84
PID 1892 wrote to memory of 3624	1892	Noalpmli.exe	85
PID 1892 wrote to memory of 3624	1892	Noalpmli.exe	85
PID 1892 wrote to memory of 3624	1892	Noalpmli.exe	85
PID 3624 wrote to memory of 1648	3624	Nndlkj32.exe	86
PID 3624 wrote to memory of 1648	3624	Nndlkj32.exe	86
PID 3624 wrote to memory of 1648	3624	Nndlkj32.exe	86
PID 1648 wrote to memory of 4960	1648	Oendhdjq.exe	87
PID 1648 wrote to memory of 4960	1648	Oendhdjq.exe	87
PID 1648 wrote to memory of 4960	1648	Oendhdjq.exe	87

C:\Users\Admin\AppData\Local\Temp\2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2569b917a3d444726b9f2966a7fffe60_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\Nbnlfimp.exe
  C:\Windows\system32\Nbnlfimp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Nigdcc32.exe
    C:\Windows\system32\Nigdcc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\Noalpmli.exe
      C:\Windows\system32\Noalpmli.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\SysWOW64\Oendhdjq.exe
        
        C:\Windows\system32\Oendhdjq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        7⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 412
        8⤵
        Program crash
        
        PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
120KB

MD5
f5c6e4b03403357d4416f5213eb1f7d9

SHA1
3571b2032b550d5346d4491ca9c830e06f9c0cc7

SHA256
157711e46c1a7cd59fb072e9c75f2b193b1d07ba29078dfbb3ba93b7d63900d8

SHA512
55097c91d29e0b829d5e678b6aadd4c3385354bb1434154b2f44afc4c9584e025ae1fb34d8d7fe79d4fe720b19d0479bce5b289fc3a79a42db66a2011c76f823

Download Submit
C:\Windows\SysWOW64\Nigdcc32.exe

Filesize
120KB

MD5
b309e6d3830a9cd41b3985bbcbea6e90

SHA1
a64957bc43de4a3dfcabe006319b997899d420cb

SHA256
721354e74a7e3559027ae1f55430efad226585800db1cfeabf2c1f2a1755825a

SHA512
2760b3ac0dc209c257a784f17ed72dc65d36c46e9707fedec930835f66748a132d355a32fca839b694d3e035e4ece7bc3d967cd0aceb98eba6019d1eb1a2cbb5

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
120KB

MD5
4affd1b71347e73cdc28b8f592db8f17

SHA1
9914c350ba986e622b3bf37ac31db9e9f95bdea5

SHA256
a5ed9c0045c737b5a6106691f927f024edc41d156a5c6d784fd7562ca9f90c61

SHA512
c7846eb5198e06321ae05c395e0ad24d6a47a92e3c664c7b3b196f355dd4cf3c03c93b010fbb06ed2d1731ea61f4b20ce55fc85101416118facb9c28f08f5ddc

Download Submit
C:\Windows\SysWOW64\Noalpmli.exe

Filesize
120KB

MD5
7a5282e6b7a6b821953e8e7e185d8031

SHA1
3d4e6cdcb1ba1e2a3bc53f505bdb477032156154

SHA256
4aae232e2079251799f76f394357c92224128b7d8e21d60143d18dd6906c3813

SHA512
aed22daba90c62da7031b4737597bf3602d8817f5587ba50b7331c76f191c6f2bda560c636325c64d99cc9ba6b51606649adecb0e63ce893d97f4b92773084d0

Download Submit
C:\Windows\SysWOW64\Oendhdjq.exe

Filesize
120KB

MD5
a204af9cc6139f1f224446d1ccacdbbd

SHA1
01a9d9ca3c4c64cf88abd0201d612ebe0baeb97f

SHA256
90018077badc114fdb2d52170015879383b0c13f7b59ed0404e9111384662dd8

SHA512
a763a662882c3824941c2f11ac9ff57c199bed3e4fd801613e0b5f44d32e2fdb2658b23cdfda69164c200421b50be09097ab697844e717c0201593ff8491aba6

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
120KB

MD5
a63e3c45ae9af83f2e85c508f8ff5319

SHA1
add1b7f146b7c889c22b048868db7d1d7aba04e0

SHA256
4720decb443935fddd16d5c3bc0833a0c8dcc03904e47ac3fbde7ba61b2d719c

SHA512
a9e394a7dd1a0044c20e3170392be8adf0671caa45d6813ce39ba34810e6961d30c2d1ccf0f86f0b8868b69d27530173f1cf14cc045d235c0439284920b93896

Download Submit
C:\Windows\SysWOW64\Pmkcjf32.dll

Filesize
7KB

MD5
c626f6a0ba18ba8c078dd96a18c46d12

SHA1
d542c175c45ce96f95e6fc48aee4c50ca137469a

SHA256
891939babef4428ef6a92ce9845792462ccd76a6663eed728a3da3f1628c6d6c

SHA512
24426dc7493e8f5649c3c37d37e2f2855a1417725e4b0ff76f9ffbb392ad3f14a5499bc621a041ff5af672980b6d36d71a2315fb550f0dff80f1575d6ee54020

Download Submit
memory/1512-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1512-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1892-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads