29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719

General

Target

29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Size

93KB
MD5

7bf231caa3fb3d4a98e3e1ae8a8195a0
SHA1

3f51d4a0924e8bc1f7724213419d89d81c40a57c
SHA256

29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719
SHA512

88fef8b0e3c03c3c017575ff20af06bfcb5ddbdadf4bc71fa34a6dad8f079443ca03950105aba188d624c9230325563672e358abd7cdb04f0bc4ee09860b3f58
SSDEEP

1536:c3Y2DPkmtup7tAlyhN+7G24mCA0LKHnSyg0gz7aUdaJVxMD51saMiwihtIbbpkp:c3bDsp7tT7m7NHnSWetdv51dMiwaIbb+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	Nggqoj32.exe
1772	Nkcmohbg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4704	1772	WerFault.exe	82

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 2884	4216	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe	81
PID 4216 wrote to memory of 2884	4216	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe	81
PID 4216 wrote to memory of 2884	4216	29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe	81
PID 2884 wrote to memory of 1772	2884	Nggqoj32.exe	82
PID 2884 wrote to memory of 1772	2884	Nggqoj32.exe	82
PID 2884 wrote to memory of 1772	2884	Nggqoj32.exe	82

C:\Users\Admin\AppData\Local\Temp\29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\29d1acfd794667cf79a84c519e731abd9961aad7cbe4db110ba05d7b270f3719_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Windows\SysWOW64\Nggqoj32.exe
  C:\Windows\system32\Nggqoj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    - Executes dropped EXE
    PID:1772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 412
      4⤵
      Program crash
      PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 1772
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
93KB

MD5
5ab1be019b0f2be2c7af0553fbc41cc1

SHA1
1ff27f188033d504989ae2ea6955e758d8300f4a

SHA256
0a1da69dddc8c063f7dad7eeea4b4f38e824077986dc25995988e1bc3e865471

SHA512
a93b109ca8ea7ce6b6cea20d63b455ea8753076180ee388392a17c3cfee76fe86d5a87b0dd19d6dff1ddad580be3dc60c8c22d9fec10dc03d37563cfa30bc771

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
93KB

MD5
1a70aa639b2972b9f1de3b79f36f7bf0

SHA1
eb6b1c510f9be4ae14724f4dde59612bdf9b0d41

SHA256
ee89faeb98de62b9a8c0f16fdef2f2ef9b8f7530bafb050d160efd80205925f0

SHA512
6a2d7a45316998a7f7aef87c9eb22f81fd05976ef6b67dc6b2db0fd4a325b86428f8632b3ff89010459bb6a96c03b8699a8f918ccda1147e4acd355035786a3e

Download Submit
memory/1772-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4216-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads