e0ce048cd286a8832319a6f31eab03a2e3a20eb429d2648a1e3b2b9d9f9b2e26

General

Target

5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Size

79KB
MD5

5b0a81197f831adbf18c34c08fe54050
SHA1

343f3022ff69770043b0d039f2aa8754855b26a7
SHA256

e0ce048cd286a8832319a6f31eab03a2e3a20eb429d2648a1e3b2b9d9f9b2e26
SHA512

cefc0e1a5dd152685404a01eb4f9aef516fa606cb83e05170507a2048c4d981277a21244e0d9ef20ddbd2f5e4fde0c34f83d1837ff5cce8a6c06eb83c3d7e5d4
SSDEEP

1536:zzXUiFW0Flb41TcfW6Rkv/dJgPkoVo7mhoD1iRnBsAZrI1jHJZrR:vfz04fE1JgMFGmAu1jHJ9R

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe

Executes dropped EXE 3 IoCs

pid	Process
2008	Behgcf32.exe
2616	Bhhpeafc.exe
2736	Cacacg32.exe

Loads dropped DLL 10 IoCs

pid	Process
1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
2008	Behgcf32.exe
2008	Behgcf32.exe
2616	Bhhpeafc.exe
2616	Bhhpeafc.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe
2672	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2672	2736	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2008	1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe	28
PID 1468 wrote to memory of 2008	1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe	28
PID 1468 wrote to memory of 2008	1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe	28
PID 1468 wrote to memory of 2008	1468	5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe	28
PID 2008 wrote to memory of 2616	2008	Behgcf32.exe	29
PID 2008 wrote to memory of 2616	2008	Behgcf32.exe	29
PID 2008 wrote to memory of 2616	2008	Behgcf32.exe	29
PID 2008 wrote to memory of 2616	2008	Behgcf32.exe	29
PID 2616 wrote to memory of 2736	2616	Bhhpeafc.exe	30
PID 2616 wrote to memory of 2736	2616	Bhhpeafc.exe	30
PID 2616 wrote to memory of 2736	2616	Bhhpeafc.exe	30
PID 2616 wrote to memory of 2736	2616	Bhhpeafc.exe	30
PID 2736 wrote to memory of 2672	2736	Cacacg32.exe	31
PID 2736 wrote to memory of 2672	2736	Cacacg32.exe	31
PID 2736 wrote to memory of 2672	2736	Cacacg32.exe	31
PID 2736 wrote to memory of 2672	2736	Cacacg32.exe	31

C:\Users\Admin\AppData\Local\Temp\5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b0a81197f831adbf18c34c08fe54050_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\Behgcf32.exe
  C:\Windows\system32\Behgcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\Bhhpeafc.exe
    C:\Windows\system32\Bhhpeafc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Cacacg32.exe
      C:\Windows\system32\Cacacg32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Behgcf32.exe

Filesize
79KB

MD5
1ab03e67e662b0c3f8664c0716b7244e

SHA1
707c1eabfb7138c8eefe3f04e2d31a33837c2c1f

SHA256
052d51e941645a42fe2ea5178e213445df1bf07ca08fd29d54c2bb885eed9fdd

SHA512
06b9b4772dd73f1b4b4d43f2b3db8909af8b82fd91cc2da2691a8976cd6627576c201f1acfa00f071f372066ee181b49821a2ab1ea32de67479464809715f213

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
79KB

MD5
c9c6e374db612220022e89ac15d00235

SHA1
95d9d24140f06130788db80ee4234a139436993b

SHA256
d3df6ff195405258f076433a51e0122b69b5c0e6ee0f2ef1b45189a9f8452b94

SHA512
ae4bc65cc02ed26e3db3daddbedfcfe54b37bb44514fde85919e06f96aaee1c36c4687c1aa66e8ec9b6577a9aebd0182a958c843fcf55cc907495beff38d3661

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
79KB

MD5
c4d3b3b88db7cf54739e410d135af3e5

SHA1
da9834cee27eb59423fabcef1a7c667ba222d86e

SHA256
6ad2ea84d6dd0f44cc0f709757633cd857c1d44cca5f3edf01bf46b7fafccad7

SHA512
1a39d32c35d179d64bb604afe330f51e43e15bb6bcb604f618bed3384b31d9562fb8a45337fe9d56f3c75ee2a60a4a4014dcdd48304de986be4fdf59c69736e4

Download Submit
memory/1468-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-6-0x00000000002C0000-0x0000000000301000-memory.dmp

Filesize
260KB

Download
memory/1468-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-27-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2008-21-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2008-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-39-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2616-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads