47f73b8e28790007e56cca805c98655fad56e1fbb1b4313e213fb39fb42c5ef3

General

Target

085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Size

186KB
MD5

085cec3d530f3bc9e5446085363a0710
SHA1

74442f607e72d28f716f387d061757ea73cb7c24
SHA256

47f73b8e28790007e56cca805c98655fad56e1fbb1b4313e213fb39fb42c5ef3
SHA512

271ae09fa70fe22e9c901f94ed18507bc03a61475870bfbb125d4c9bc5f8f3f6e836fe40c8aee5e8266acd5a071a827110f17c9d0dae0a7f1c8cfcc816c9ccd1
SSDEEP

3072:ATMBROp/PFhFv+Y4H1vkF3VOMC4uMhZpMdoVBRDI+Vvlg3vG:AgYFhF+Jk/4AcgHuv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe

Executes dropped EXE 6 IoCs

pid	Process
2600	Ncihikcg.exe
688	Njcpee32.exe
1580	Nbkhfc32.exe
2612	Ndidbn32.exe
5036	Nggqoj32.exe
2264	Nkcmohbg.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3344	2264	WerFault.exe	88

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2600	2240	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe	83
PID 2240 wrote to memory of 2600	2240	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe	83
PID 2240 wrote to memory of 2600	2240	085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe	83
PID 2600 wrote to memory of 688	2600	Ncihikcg.exe	84
PID 2600 wrote to memory of 688	2600	Ncihikcg.exe	84
PID 2600 wrote to memory of 688	2600	Ncihikcg.exe	84
PID 688 wrote to memory of 1580	688	Njcpee32.exe	85
PID 688 wrote to memory of 1580	688	Njcpee32.exe	85
PID 688 wrote to memory of 1580	688	Njcpee32.exe	85
PID 1580 wrote to memory of 2612	1580	Nbkhfc32.exe	86
PID 1580 wrote to memory of 2612	1580	Nbkhfc32.exe	86
PID 1580 wrote to memory of 2612	1580	Nbkhfc32.exe	86
PID 2612 wrote to memory of 5036	2612	Ndidbn32.exe	87
PID 2612 wrote to memory of 5036	2612	Ndidbn32.exe	87
PID 2612 wrote to memory of 5036	2612	Ndidbn32.exe	87
PID 5036 wrote to memory of 2264	5036	Nggqoj32.exe	88
PID 5036 wrote to memory of 2264	5036	Nggqoj32.exe	88
PID 5036 wrote to memory of 2264	5036	Nggqoj32.exe	88

C:\Users\Admin\AppData\Local\Temp\085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\085cec3d530f3bc9e5446085363a0710_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Ncihikcg.exe
  C:\Windows\system32\Ncihikcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\Njcpee32.exe
    C:\Windows\system32\Njcpee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\SysWOW64\Nbkhfc32.exe
      C:\Windows\system32\Nbkhfc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        7⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 400
        8⤵
        Program crash
        
        PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
186KB

MD5
19958befc69cfe8a7b404739f36e623d

SHA1
98c1bdc838bf41f867e7cd0bc1411dff303aceb3

SHA256
25e94103a6a8ea8ff75dcb581159f171e40c76e86d1b5b261feb85a8dc339f25

SHA512
eb6bbaab3b2f9cf1fc12a83641f91c0eb396262b2617c2b15c58df81663a7b28e43cb4d4f6a09a9d97f4416fb040b6a565e2366eedc6e658d2533504d365c8b6

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
186KB

MD5
f91d8597cb1753b39af2db5bfeba2bf1

SHA1
0d43146b59cec8e38366eeea94d7824266783cc6

SHA256
91abb5aff33280375d19703b760b4bc95f6fb7b107379547526f8f33180ba721

SHA512
12564f3be9c24a72ae618597ff95d5cd8bb9b4a73c44756be33ff0a0d16524b70a69992dc9944a773df35e50013fba303f9e0b4e93a14043373054b2eee731c3

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
186KB

MD5
3dfea13c891d5d3e1f3818c61ebf0d4c

SHA1
84f7b891421c1e05aae82c5a68e5d3c6fa9bb313

SHA256
15a38976d4872198d0455ace4e71774be359b2ffc9972c73c47f8b3a61695702

SHA512
13b781475fcdc95dd4814b22f38f6a98770b682490a724a2e7788d611e01ee1909000adce6a953f0cc9b49b009265732b6f9406a0fd917b17574158461c78a27

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
186KB

MD5
33d4b3d8358c21870dc8c0eb22274964

SHA1
37e26843814dfd8c50d694c25a2df6fa431942dd

SHA256
34ba63ab104ff32d2664bd00cb35e91db28d3d58c1eec13e3497f9bc7784261c

SHA512
f150d2c6499649b8997cd64d67ecbe66923a38fee1f7e4481c8b853c8563c5a513df296888c2f3b7d656fe81ce67ff98f30ea15ba8df88ebd152cfbb8c2b9325

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
186KB

MD5
bad59541994eb2a8db586d7a99f25097

SHA1
9c3860cc343107a18d1a2525f98aa1d2d23e8dfa

SHA256
b253eba3eede8d9383b2c3007d9d342499941f3f0d0f30f707654cd0d55a9416

SHA512
7b093f35ca57fc350ad4ca4d47a869a821bbc53194d0546f59deacb2e718279aff2620ee1f68efcf39b44a8806ff9f54ccdcb570f1482e076750ada3c05976b8

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
186KB

MD5
f1175cb301bca15b9fe8f0f872bff67d

SHA1
103958d311ce50c1ac05175f1fd26b78695c401a

SHA256
24a16cbcf43f700c37f27552851fd948239bf6fc34090c6b71defbd40d1391fb

SHA512
2d5c50f5f3953eb73664eeeeaf65581da2559098114ddbd1673c91377d4bed53f285250677e8b3c01b82506e16d2dae99c6f414188658526ba29a699f94ad1a2

Download Submit
memory/688-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2240-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads