5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755

General

Target

5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Size

128KB
MD5

daa5a862cffcb107cafeeabf6c692090
SHA1

1eabc7c17295bf9e25484c9e43a6379c4a48cefd
SHA256

5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755
SHA512

d13c67d22c7b06dde728fb8b26a7c3357d45e9a1f30aa7317fd0262c39c92f022964c2e884cdda8e555ae04d20ca3d33d9b1b3bd9b7996e302dd4921ee3fb809
SSDEEP

3072:S9WbslrGo8j0v/0oyXPyTRhg808uFafmHURHAVgnvedh6:Si+8jVPyTRW808uF8YU8gnve7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe

Executes dropped EXE 3 IoCs

pid	Process
1920	Nplmop32.exe
2564	Nigome32.exe
2612	Nlhgoqhh.exe

Loads dropped DLL 10 IoCs

pid	Process
2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
1920	Nplmop32.exe
1920	Nplmop32.exe
2564	Nigome32.exe
2564	Nigome32.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nigome32.exe	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Nplmop32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2612	WerFault.exe	30

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nigome32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1920	2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe	28
PID 2384 wrote to memory of 1920	2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe	28
PID 2384 wrote to memory of 1920	2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe	28
PID 2384 wrote to memory of 1920	2384	5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe	28
PID 1920 wrote to memory of 2564	1920	Nplmop32.exe	29
PID 1920 wrote to memory of 2564	1920	Nplmop32.exe	29
PID 1920 wrote to memory of 2564	1920	Nplmop32.exe	29
PID 1920 wrote to memory of 2564	1920	Nplmop32.exe	29
PID 2564 wrote to memory of 2612	2564	Nigome32.exe	30
PID 2564 wrote to memory of 2612	2564	Nigome32.exe	30
PID 2564 wrote to memory of 2612	2564	Nigome32.exe	30
PID 2564 wrote to memory of 2612	2564	Nigome32.exe	30
PID 2612 wrote to memory of 2620	2612	Nlhgoqhh.exe	31
PID 2612 wrote to memory of 2620	2612	Nlhgoqhh.exe	31
PID 2612 wrote to memory of 2620	2612	Nlhgoqhh.exe	31
PID 2612 wrote to memory of 2620	2612	Nlhgoqhh.exe	31

C:\Users\Admin\AppData\Local\Temp\5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b03fab70a59528eabeea74e4c3b3b4c123ebfcbe9c30474f9ff69d37f684755_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\Nplmop32.exe
  C:\Windows\system32\Nplmop32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\Nigome32.exe
    C:\Windows\system32\Nigome32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Nlhgoqhh.exe
      C:\Windows\system32\Nlhgoqhh.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Nigome32.exe

Filesize
128KB

MD5
049fcb6c9651fa7888e707e211dd3eac

SHA1
ecfc1749fbdb6385e9e2d320ea49dac0273488a4

SHA256
8695da5d7708bc260942d0e7b15592a51eeeda497cba2e6d54b8fd4e5d811c3d

SHA512
bfced7b6681393fb3a5aa984ae158fdcb5171b36c54b483bba522fe4a14a9922b8d2a630e05fb44bc4a3c817dbcf789b101e303873a352a9b105b9e0a088f171

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
128KB

MD5
646709dc00396e534e67eb574b5d7516

SHA1
6982d4b20153405f4ca919d1bb65338c2c8dd46d

SHA256
2415c3d7d4e7a585961a568b24105df25c87ba1622733b8802fac9ec39368e46

SHA512
909967628ccd6a06a0c15e1ea6411d599db676ca221080c569e894a24686651d6508f46cd538dbed4d485512aea1960b1e23c84f92abf709132b5a86a49440ab

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
128KB

MD5
7a745a0c5315eae23374243bd5ca4de4

SHA1
8ea6296c98f963191ec6396ab766faca5d6e3631

SHA256
68a945b20e59689c796e1c04e7cac734601561d89f2f0ac559efefce84ae77b7

SHA512
6bec20898b1a8e2974e9a14cb52738b6a728ae0157942a438afd289996f0474addda7b7d5ce15a21b0960907706a0de31a918707f5bfe5d9b573c4b913e453a1

Download Submit
memory/1920-19-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1920-26-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1920-46-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2384-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2384-6-0x0000000000290000-0x00000000002D5000-memory.dmp

Filesize
276KB

Download
memory/2384-45-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2564-33-0x0000000000450000-0x0000000000495000-memory.dmp

Filesize
276KB

Download
memory/2564-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2612-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads