13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Size

96KB
MD5

06737d1b1af4109b5092c04cfa546980
SHA1

075fe9ce4d2fbc76dfacef74601b2ce3388af772
SHA256

13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb
SHA512

81fe0930b057b865470cad78b5e326e3cae32f1771fe97f7f81aa024098029c78519df3c72832a57038c1b8b577eaa00ceb5da0daab7f5d491eba252f87a89db
SSDEEP

1536:dDnYFx/qlRShc5/zvvzqIZ7712L5VZS/FCb4noaJSNzJO/:dDnShc5/zX2o77mrZSs4noakXO/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdime32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edfknb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe

Executes dropped EXE 12 IoCs

pid	Process
4488	Adepji32.exe
4552	Bbhildae.exe
3996	Cdjblf32.exe
1436	Cigkdmel.exe
5108	Ccdihbgg.exe
1812	Dgdncplk.exe
3280	Dggkipii.exe
3324	Epdime32.exe
444	Ekimjn32.exe
5016	Edfknb32.exe
2248	Fcbnpnme.exe
1848	Gddgpqbe.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Epdime32.exe
File created	C:\Windows\SysWOW64\Edfknb32.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Nnoefe32.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fcbnpnme.exe
File opened for modification	C:\Windows\SysWOW64\Epdime32.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Edfknb32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Adepji32.exe	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Epdime32.exe	Dggkipii.exe
File opened for modification	C:\Windows\SysWOW64\Edfknb32.exe	Ekimjn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Edfknb32.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Aehojk32.dll	Ekimjn32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Dggkipii.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Epdime32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Epdime32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4448	1848	WerFault.exe	102

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoefe32.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Adepji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehojk32.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqjha32.dll"	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epdime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edfknb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cdjblf32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4488	2252	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe	91
PID 2252 wrote to memory of 4488	2252	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe	91
PID 2252 wrote to memory of 4488	2252	13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe	91
PID 4488 wrote to memory of 4552	4488	Adepji32.exe	92
PID 4488 wrote to memory of 4552	4488	Adepji32.exe	92
PID 4488 wrote to memory of 4552	4488	Adepji32.exe	92
PID 4552 wrote to memory of 3996	4552	Bbhildae.exe	93
PID 4552 wrote to memory of 3996	4552	Bbhildae.exe	93
PID 4552 wrote to memory of 3996	4552	Bbhildae.exe	93
PID 3996 wrote to memory of 1436	3996	Cdjblf32.exe	94
PID 3996 wrote to memory of 1436	3996	Cdjblf32.exe	94
PID 3996 wrote to memory of 1436	3996	Cdjblf32.exe	94
PID 1436 wrote to memory of 5108	1436	Cigkdmel.exe	95
PID 1436 wrote to memory of 5108	1436	Cigkdmel.exe	95
PID 1436 wrote to memory of 5108	1436	Cigkdmel.exe	95
PID 5108 wrote to memory of 1812	5108	Ccdihbgg.exe	96
PID 5108 wrote to memory of 1812	5108	Ccdihbgg.exe	96
PID 5108 wrote to memory of 1812	5108	Ccdihbgg.exe	96
PID 1812 wrote to memory of 3280	1812	Dgdncplk.exe	97
PID 1812 wrote to memory of 3280	1812	Dgdncplk.exe	97
PID 1812 wrote to memory of 3280	1812	Dgdncplk.exe	97
PID 3280 wrote to memory of 3324	3280	Dggkipii.exe	98
PID 3280 wrote to memory of 3324	3280	Dggkipii.exe	98
PID 3280 wrote to memory of 3324	3280	Dggkipii.exe	98
PID 3324 wrote to memory of 444	3324	Epdime32.exe	99
PID 3324 wrote to memory of 444	3324	Epdime32.exe	99
PID 3324 wrote to memory of 444	3324	Epdime32.exe	99
PID 444 wrote to memory of 5016	444	Ekimjn32.exe	100
PID 444 wrote to memory of 5016	444	Ekimjn32.exe	100
PID 444 wrote to memory of 5016	444	Ekimjn32.exe	100
PID 5016 wrote to memory of 2248	5016	Edfknb32.exe	101
PID 5016 wrote to memory of 2248	5016	Edfknb32.exe	101
PID 5016 wrote to memory of 2248	5016	Edfknb32.exe	101
PID 2248 wrote to memory of 1848	2248	Fcbnpnme.exe	102
PID 2248 wrote to memory of 1848	2248	Fcbnpnme.exe	102
PID 2248 wrote to memory of 1848	2248	Fcbnpnme.exe	102

C:\Users\Admin\AppData\Local\Temp\13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13898f7d7147e56362ada0622ffd273253053f5891cb0e9334f5256cb84075cb_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Adepji32.exe
  C:\Windows\system32\Adepji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\Bbhildae.exe
    C:\Windows\system32\Bbhildae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\Cdjblf32.exe
      C:\Windows\system32\Cdjblf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Epdime32.exe
        
        C:\Windows\system32\Epdime32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Edfknb32.exe
        
        C:\Windows\system32\Edfknb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        13⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 400
        14⤵
        Program crash
        
        PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1848 -ip 1848
1⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adepji32.exe

Filesize
96KB

MD5
bf3059bca4272372ccba30b9d2240332

SHA1
05dc3351f5c362a587769c410ff46e225d18b0da

SHA256
d6b17d45e7081c35b75c353471ee7eec65c361a70b978bdd93dc5df9973cf566

SHA512
fa8a4a66742cc1b032670686ec05c95ccaef2ec48011f1368e390ffc7224a8f0a14662928a94950ef782eda84b1808da185d1a7a20eab61cb4562ef315a81a9d

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
96KB

MD5
5cb57f43de0c80264ac57222f1fe6e0b

SHA1
570e3d26ee2f203ebbbf43b9636559a7991052b3

SHA256
b6d1672a20f0c65e30bd6fa3cc43ef4e2a109a4ef37fa0441ef444d12de47985

SHA512
64b242182cd8dd2e5447f6d6b16158634ce30632e55410857498f6f12f31acebf03598787e1f17b6cb1ab30a311846b94926164e4ebe112dbcaa88d93689f56c

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
96KB

MD5
98cf009d742239b4343a3bcbea10db7c

SHA1
0e0381c7e22eb565ecb777e4e4c01f24cec8f4b3

SHA256
a30360043d44e4fc84260ed2883f47ceb493e090a0864a6afe2ce4472256a237

SHA512
b8a14a3cb11e76be40b2908a20bfde683e861099559d50ad9bd34667a15984c16080fa407857371f8786427ad3d967dbbe74bb865dd0b48f1ea79fb2a1d16e4b

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
96KB

MD5
395174b611b60d8a30bde08db6deb63f

SHA1
ecc44c61b62a17c81c25980c9bf8571d67c03807

SHA256
6264062b10e75e18bfb6f7fa74a8314b7ef4f5e764d29f15e6647367c6eb7b5a

SHA512
d07dfc3f5459204a0d6941515f847151e50efe96d9726994a0f4ac089ccd61a7612a7fec24419626e5f7aee6acb927b95b90e5ff00d3348dd5d40265beff29e0

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
96KB

MD5
4796cf0ae57a5b6bdc4dd927f5a160f6

SHA1
9e0d383f03025d8e25ed59870bf52dafa00a3abf

SHA256
f9012669be32ebaf20fb38ec5f9a75893d0637eefc9b3a932028e99c16a14f35

SHA512
6ca1a68790f04029b4b8ea6816f66c31a0abb03ada6529fb10561718e264b17a2add67a4269c705371a85cb1c7c7fafd4465be03001f44a30734b995c86b74fa

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
96KB

MD5
3ae31828d2082b9fdf47de9ec782d85a

SHA1
6e7fd964b3021e4fded9de9f29c747e307f8d735

SHA256
377d91a1c982402f5fda15e3d9d21263051e895e3120aa033fb3239843a3ed4f

SHA512
af3cd05431050d09b8e42d5e90ed1d8114f0bfd9cce687984cfcc7c3fd95958e7595b4de58ac573ad2f74041742708d85e51720ba6199049e7b8fa666ed5aa7d

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
96KB

MD5
44359626c89c2c3e1c60cf1d865bbc7e

SHA1
dd7b89cf4b37da33f3ecfa4a98624f2a9bf80260

SHA256
5b8f18dbe7d74e7bce0576e7dd5bdb33aab13addb6cf0e351b35165269bb1dd5

SHA512
fdf99689f53eb02a425e8b85f7a48a1e4006d60ced5c969cc0ef3ca0bbf33883ad43a6eef8a758625e8720e29325fd32ce466161966fc2170e361570c8c3188b

Download Submit
C:\Windows\SysWOW64\Edfknb32.exe

Filesize
96KB

MD5
45bdd88dd1c7c1f8021f9f4bd3c40f9f

SHA1
7a25970cbb6295050483684f4980a02c90536d5d

SHA256
e07998bb52964b5c2351cbf629693596677fad234cfd70e884dc2249f8482897

SHA512
d1680827b4433982a40061113ec33b3d4ac3dbd3c344598991b9c311c4035186e7ec54c723a054f3bc00e8f9efb0fd1f014f342d75fe9948f6249b68d109ce1b

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
96KB

MD5
524eeea2fcbfc650e73ad90099b9524e

SHA1
193ec63abf150689c5068a2adaf59e4109aeb6a7

SHA256
2ff7e381d9c5cfcb1c8e52ec8d92ba1462703489a2eb593928bf99e10031ea26

SHA512
fadaf690b3c2a7bc7667726859b04a47b139ea67b73a1a4f870279ce87373aa6caeb96c6fcb012bbd4361e7f1971c885a918466dc328bc8a68ea15320285c45a

Download Submit
C:\Windows\SysWOW64\Epdime32.exe

Filesize
96KB

MD5
417e0bee164c962567f8e33623344248

SHA1
ead9d6d47c616200de024bff50def7cfa8190f54

SHA256
79a6f16e2b8ab9ec592f84df8bf71a2165487dc4acb842d5e071a112976e2dcb

SHA512
b7500612ebe610832db052f51561fd7121405e4e172e37a54885e4bc28250cf3be1cea756406ef7ba5008daf997c0063a73aac844da09a115012fdfc805819b4

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
96KB

MD5
a083e8a156ca16899f045a40c4a8f53a

SHA1
d3f9bbdd18a492ea4829a96b66945f84a158df12

SHA256
5335b0cebacad412179d5f58850e31399a7d700e064bf72062333b3720b9c708

SHA512
7c6792864968c5acc3a4dfe0ccc69d583e09186cada72720792565529b5eeff3ce77241f720abfbb7b3aae4f8bcce2bee8b309a7b53645758c2c7c44c77963c2

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
96KB

MD5
7fb852298cef396c74aa209bb31085fa

SHA1
34819fe337dfed1d54f5c3e8e0cca409da25663d

SHA256
ba26e7c1da8bfe4209a6723d2cb2f6f16f9932b4f6c1f512c45172ac14b37dcb

SHA512
551f1d6143378dfbf6c7c40e00924b46b0aeb4e99b99ff380f28a6693609a3c80c92ee40f09043a875ca1b9cc4cba003725ba9d0860ca2a8da6a24bb61afe612

Download Submit
memory/444-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-2-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3324-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4488-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads