f2813fb0682188670acc86ca8fdf5d89ddd2aab955b687d8d03f8233649b12b8

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Size

96KB
MD5

5f2f7a8a4b3ac5ad488d173f39b0fa10
SHA1

88c5f52713ce52965def984b38a2cfce73b674b2
SHA256

f2813fb0682188670acc86ca8fdf5d89ddd2aab955b687d8d03f8233649b12b8
SHA512

f1043b54a4d0b33fc6c1acd483a65f1b8d57c23aff48c98f3b64bd4cb3504033e0d298c491ef93464127abe5f6e304d138bd62f10f27e067ba9aa7926590655b
SSDEEP

1536:JUF78QuLH5T3tcxb30aGwJQn16DviQw0xnJ/BOmmuhCMy0QiLiizHNQNdq:JUxeljtcxbEaGXx0lJ5OmmuhCMyELiAd

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nejkmdnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbibki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndgoge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbibki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnpcpjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkfpon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkojooih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndgoge32.exe

Executes dropped EXE 11 IoCs

pid	Process
3652	Nkojooih.exe
1968	Nbibki32.exe
2704	Ndgoge32.exe
4620	Ngfkcp32.exe
4052	Nnpcpjfi.exe
1980	Nejkmdnf.exe
1004	Nkccjo32.exe
940	Nbnlfimp.exe
2100	Nkfpon32.exe
5036	Nndlkj32.exe
2748	Ogmado32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nejkmdnf.exe	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Midmcack.dll	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Nkccjo32.exe	Nejkmdnf.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	Nkccjo32.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	Nkccjo32.exe
File opened for modification	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Gejcdjej.dll	Nkojooih.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndgoge32.exe	Nbibki32.exe
File created	C:\Windows\SysWOW64\Nnpcpjfi.exe	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Kikkoh32.dll	Nejkmdnf.exe
File created	C:\Windows\SysWOW64\Ndgoge32.exe	Nbibki32.exe
File opened for modification	C:\Windows\SysWOW64\Nkfpon32.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Lfbpem32.dll	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Nkfpon32.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Cknhgocb.dll	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ngfkcp32.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	Nkccjo32.exe
File created	C:\Windows\SysWOW64\Nkojooih.exe	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Iijjgi32.dll	Ndgoge32.exe
File opened for modification	C:\Windows\SysWOW64\Nkccjo32.exe	Nejkmdnf.exe
File created	C:\Windows\SysWOW64\Ngfkcp32.exe	Ndgoge32.exe
File created	C:\Windows\SysWOW64\Nbibki32.exe	Nkojooih.exe
File created	C:\Windows\SysWOW64\Fdnnhief.dll	Nbibki32.exe
File opened for modification	C:\Windows\SysWOW64\Nejkmdnf.exe	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkojooih.exe	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnpcpjfi.exe	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Nlofepqg.dll	Ngfkcp32.exe
File created	C:\Windows\SysWOW64\Ccbahp32.dll	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Nbibki32.exe	Nkojooih.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5048	2748	WerFault.exe	92

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlofepqg.dll"	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnnhief.dll"	Nbibki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	Nkccjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngfkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbpem32.dll"	Nkfpon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbibki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkccjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejcdjej.dll"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngfkcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknhgocb.dll"	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbibki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijjgi32.dll"	Ndgoge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midmcack.dll"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikkoh32.dll"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbahp32.dll"	Nbnlfimp.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 3652	404	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe	81
PID 404 wrote to memory of 3652	404	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe	81
PID 404 wrote to memory of 3652	404	5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe	81
PID 3652 wrote to memory of 1968	3652	Nkojooih.exe	82
PID 3652 wrote to memory of 1968	3652	Nkojooih.exe	82
PID 3652 wrote to memory of 1968	3652	Nkojooih.exe	82
PID 1968 wrote to memory of 2704	1968	Nbibki32.exe	83
PID 1968 wrote to memory of 2704	1968	Nbibki32.exe	83
PID 1968 wrote to memory of 2704	1968	Nbibki32.exe	83
PID 2704 wrote to memory of 4620	2704	Ndgoge32.exe	84
PID 2704 wrote to memory of 4620	2704	Ndgoge32.exe	84
PID 2704 wrote to memory of 4620	2704	Ndgoge32.exe	84
PID 4620 wrote to memory of 4052	4620	Ngfkcp32.exe	85
PID 4620 wrote to memory of 4052	4620	Ngfkcp32.exe	85
PID 4620 wrote to memory of 4052	4620	Ngfkcp32.exe	85
PID 4052 wrote to memory of 1980	4052	Nnpcpjfi.exe	86
PID 4052 wrote to memory of 1980	4052	Nnpcpjfi.exe	86
PID 4052 wrote to memory of 1980	4052	Nnpcpjfi.exe	86
PID 1980 wrote to memory of 1004	1980	Nejkmdnf.exe	87
PID 1980 wrote to memory of 1004	1980	Nejkmdnf.exe	87
PID 1980 wrote to memory of 1004	1980	Nejkmdnf.exe	87
PID 1004 wrote to memory of 940	1004	Nkccjo32.exe	88
PID 1004 wrote to memory of 940	1004	Nkccjo32.exe	88
PID 1004 wrote to memory of 940	1004	Nkccjo32.exe	88
PID 940 wrote to memory of 2100	940	Nbnlfimp.exe	90
PID 940 wrote to memory of 2100	940	Nbnlfimp.exe	90
PID 940 wrote to memory of 2100	940	Nbnlfimp.exe	90
PID 2100 wrote to memory of 5036	2100	Nkfpon32.exe	91
PID 2100 wrote to memory of 5036	2100	Nkfpon32.exe	91
PID 2100 wrote to memory of 5036	2100	Nkfpon32.exe	91
PID 5036 wrote to memory of 2748	5036	Nndlkj32.exe	92
PID 5036 wrote to memory of 2748	5036	Nndlkj32.exe	92
PID 5036 wrote to memory of 2748	5036	Nndlkj32.exe	92

C:\Users\Admin\AppData\Local\Temp\5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f2f7a8a4b3ac5ad488d173f39b0fa10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\Nkojooih.exe
  C:\Windows\system32\Nkojooih.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\Nbibki32.exe
    C:\Windows\system32\Nbibki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\Ndgoge32.exe
      C:\Windows\system32\Ndgoge32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Ngfkcp32.exe
        
        C:\Windows\system32\Ngfkcp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Nnpcpjfi.exe
        
        C:\Windows\system32\Nnpcpjfi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Nejkmdnf.exe
        
        C:\Windows\system32\Nejkmdnf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Nkccjo32.exe
        
        C:\Windows\system32\Nkccjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Nkfpon32.exe
        
        C:\Windows\system32\Nkfpon32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        12⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 420
        13⤵
        Program crash
        
        PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2748 -ip 2748
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbibki32.exe

Filesize
96KB

MD5
dacbfccea4d5aefb175d634937d2c395

SHA1
3c9b50ee9b30d643226d8043c6dbc1e80e63d6ad

SHA256
e9b293c6899cf4ea04005e08b8763aacb55ad04dae1d4a5733d37a678fcb0cba

SHA512
c2a33c586a86323ae0119af2343a8b87bf33c9706ab0a5b65275d25743c73fc555ebf1966aabde8c7bd4d727a74ab9ca05e1e5a34d1e036024ed37e81333d9d8

Download Submit
C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
96KB

MD5
5630ffe6e8e456244fe43b0c9b5fa095

SHA1
19b112f010a267db88d9232c573c8aba25b29be4

SHA256
1f9455a8edc5b3824744556051140c646169b8db3ecf0db1d6a44fa3f8274f30

SHA512
c8a0d6308830d471ebc2e6e7aa5272c8c4a658910f44ba6e3f90241eda0437cc854b19fcb1198b96c32f72a126f48a4b2fac475f42f756b463d217b938a0a9a8

Download Submit
C:\Windows\SysWOW64\Ndgoge32.exe

Filesize
96KB

MD5
066cd7707bb20081828c7fb473c60131

SHA1
d4d865b6080ac7cf94363ca75b2d11f6acd36d3c

SHA256
816342a094484b8c4f890e5ea21dd093549e2c4f57ba10d71ab0e06ca672d8c8

SHA512
df251a473079748f2abbb82ef22dc279ee2b81a0e037316393294f6f4b1d20d8f49cc6e5b5a2a0f4aeb1b2bfdfe4b8389d766c0b691da7521400eafce2af9701

Download Submit
C:\Windows\SysWOW64\Nejkmdnf.exe

Filesize
96KB

MD5
07ae32a1a6753817ddb90930927af645

SHA1
0a5776277d7b9c4884e02692f64028340d1a2531

SHA256
85b650a6889f11a432c7a6c8b303ac79a445d7599c504269d033c1e537bd11cd

SHA512
67671a48974b654586eb0cbaeece9621b601dbe285218ea3fd7043496ea50d9d8f4ec0647010a5da471a3c161ef424534e9ba592014562ffe71486e9f3f84181

Download Submit
C:\Windows\SysWOW64\Ngfkcp32.exe

Filesize
96KB

MD5
22d066fef6a758f4c630f2aaf4de984b

SHA1
aa34f29528d7f598984274fa794411a87b9b69da

SHA256
4712e981781998826b6b389775372facd7d37af04a30f752e98954622e565a42

SHA512
a8fe3b128062ea7ded01b8088e16f87cfa9624ec0c7db1cb1304ed6225711658f942c8f3965fe8dfb19bcb55946b37a0a37b91f976f27880bd4754e957ecf205

Download Submit
C:\Windows\SysWOW64\Nkccjo32.exe

Filesize
96KB

MD5
7194fc78f5b3055a1eea975125378b0f

SHA1
b6a847a326764983b864ba7640eb4c7e16e6ff8b

SHA256
19ebcf1db7ed0ebe7ed1b5b9bc4cc13e16c0fe94d22a6f24a119c96d552556cb

SHA512
7e12bb3e637773132d890890a34ce37d675e46c22455af24502b70751d368e5f7d0c7a5efd998b9f6baa043190bda652297946dc7427343909bd570bd0b5a84f

Download Submit
C:\Windows\SysWOW64\Nkfpon32.exe

Filesize
96KB

MD5
140cae23260c9c7b6ed33d9a6df9335a

SHA1
e8123f716790011339dcfb47e450fdcebc5313e9

SHA256
f686e9c6fd9fe57ef088272aa087d1eb3e48d501342a36556ba7f11d9a654669

SHA512
29a578a05e2ca2c29e6a156b51f424d43696d3279371fb4baf398e9bd42214ba020ccb247c8b71f69694bd50d9674a428b5777bab1524a8059943d174ab72075

Download Submit
C:\Windows\SysWOW64\Nkojooih.exe

Filesize
96KB

MD5
c25208fe62281289862b794362460812

SHA1
8ba8fac911971c5d65ffdf623ca0365ad712b50c

SHA256
3b7a2ee12b51e5c9c518588f83b9951c18f0e2538901fedb51c8ffb6072e3fca

SHA512
0915583b6ae38b55ccd0d11836a1d183cb636abf8abb370978d1ffe9386a00ba983e9dfe3d7776857574cf682ac5aba4f13399748b819395cf0a96eae18e4130

Download Submit
C:\Windows\SysWOW64\Nlofepqg.dll

Filesize
7KB

MD5
b4baf3ff9cc9d1da4215f3fd1103633f

SHA1
9319a8016f64383531a1fa5271c281b12dea670e

SHA256
83954695ee83a2f86d8930bd34fe1e881ec55f53648b966be76dbc74d227e100

SHA512
8d71e233daa2f247486fbb193a44f9d6a3f887dcca357015fcc11c1357102ee1be9165ecf12141817cc11b287382b473fc6b4984af78178ecbaf5d30b81ef832

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
96KB

MD5
bfc2cc574102a084ffc17f04975be10a

SHA1
edee49f946990587f321288d72ceb21d7771c4a7

SHA256
331e075f84fb7cd9159181aa14ca9388574de9278fcc354eb61a31564f397d71

SHA512
57f34ff68ac1a412f4eddb21caca0856624c14093ce5c9a2ce061c4833a7b9cd75df71cdaab8e192ed3eaad5d5c756be3f02f1ca272ae140fecfea1a2c01cf76

Download Submit
C:\Windows\SysWOW64\Nnpcpjfi.exe

Filesize
96KB

MD5
42883fdd148561611b9054f2c063b951

SHA1
bae29862fd9d353a973b16ed7a0901d3d758bc50

SHA256
f86c421e18ec02a7a4c45c5fa2e4c97554a6a818e759cfdde680e386b50c79f2

SHA512
49f19948c16f2b03c03eb2cb3788c527f02f0a405a470bf1e879e39757aa6a12d2479ba17d140c8d67b55d9cd933f97bebb8cdd8ef46ebcd0b979b2e9f93502f

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
96KB

MD5
904a09495e231d989a576d2aa576eb3e

SHA1
984c885e7454d7a398c6b675ddc216c845a391ff

SHA256
7c07242998db1bec53ab8f6b27b73dc49eea80bc128bafd5e0c67858f1c91656

SHA512
43b6a4c5d554f79f0d940177f01d635a400e8813983a2a4016b25f49f6fcaacbe9bbb3582ef26c87de15b4137ca3fa5f7fd3055f5ff07d6bfc51b7b693a410d1

Download Submit
memory/404-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/404-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/940-94-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1004-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-93-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-91-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2748-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-92-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5036-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads