0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764

General

Target

0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Size

96KB
MD5

ae2fdac4e2a6930f752faa86c04c4680
SHA1

7286df7c2a62271a6cc1ff847cea432c222e05cf
SHA256

0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764
SHA512

6a315e9121917eff72de7d1e5551cecb88a401a4992fad75bde5ff094d565f3775a6f79f6e61ef3dfb654cb79eba96e8341c15ff710b027cfb87fd0489732f82
SSDEEP

1536:ApkorcJ2hhRv8BBgfos/Zw2LIeaIZTJ+7LhkiB0MPiKeEAgH:7orN/RvZos/fNaMU7uihJ5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe

Executes dropped EXE 3 IoCs

pid	Process
1816	Ieqeidnl.exe
2616	Iknnbklc.exe
2752	Iagfoe32.exe

Loads dropped DLL 10 IoCs

pid	Process
2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
1816	Ieqeidnl.exe
1816	Ieqeidnl.exe
2616	Iknnbklc.exe
2616	Iknnbklc.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Iknnbklc.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Iknnbklc.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Eqpofkjo.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process
1340	2752	WerFault.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpofkjo.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iknnbklc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknnbklc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1816	2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1816	2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1816	2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1816	2056	0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe	28
PID 1816 wrote to memory of 2616	1816	Ieqeidnl.exe	29
PID 1816 wrote to memory of 2616	1816	Ieqeidnl.exe	29
PID 1816 wrote to memory of 2616	1816	Ieqeidnl.exe	29
PID 1816 wrote to memory of 2616	1816	Ieqeidnl.exe	29
PID 2616 wrote to memory of 2752	2616	Iknnbklc.exe	30
PID 2616 wrote to memory of 2752	2616	Iknnbklc.exe	30
PID 2616 wrote to memory of 2752	2616	Iknnbklc.exe	30
PID 2616 wrote to memory of 2752	2616	Iknnbklc.exe	30
PID 2752 wrote to memory of 1340	2752	Iagfoe32.exe	31
PID 2752 wrote to memory of 1340	2752	Iagfoe32.exe	31
PID 2752 wrote to memory of 1340	2752	Iagfoe32.exe	31
PID 2752 wrote to memory of 1340	2752	Iagfoe32.exe	31

C:\Users\Admin\AppData\Local\Temp\0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bfe0b28be26ac26e14822a6c6dd8e021a6ddebafd5ae3715deafab9d2f9e764_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Ieqeidnl.exe
  C:\Windows\system32\Ieqeidnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\Iknnbklc.exe
    C:\Windows\system32\Iknnbklc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\Iagfoe32.exe
      C:\Windows\system32\Iagfoe32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
96KB

MD5
af2a62932df25a09db887870ad640d0f

SHA1
ee11977271766707878713e2fe935d32b9bf1cd8

SHA256
1e69d63ad4df6b68dc1fcdcbc5f0019ee7fa68b27e65b5fcc92763c04e807683

SHA512
5e5f6aa5a2a99f01cc4cc3c095980fc2adcee469baff8aca90b3f645566bc2a26d7190d1b97756109d826ad83bea48cfa192d68bae1be4a76b7eb678d0f00f69

Download Submit
C:\Windows\SysWOW64\Iknnbklc.exe

Filesize
96KB

MD5
d30220b60e99823bf3431e075435571d

SHA1
a38ce4b9b021819baa7752bdcc222a745cdbc216

SHA256
0e67adb4fd503b967f0dee3d0f0eec2adf34f24404f9aa52fdefb9e3c0a332aa

SHA512
ce95a97ff0418f4e30a7446240a74e613deb73899db62662bd980a82af7c7cf09264151bcf696a876dddeca1ecbe7fd4c6cc6795948849f5f4fcb1eae1842db6

Download Submit
\Windows\SysWOW64\Ieqeidnl.exe

Filesize
96KB

MD5
106f5c541acf0c68c36fbb659ba9aa9b

SHA1
d3dcca218f3900386cef8561e29a9a8e759f94a4

SHA256
1295717754f053432483980911753d88edf201c4c51d5ae4fb709a70dc6a7626

SHA512
a6352153ce492abf1ae6a9efe35fdccdd50d8f4c8682fb35dad8f2f85665372613c0dd740eac05f8b597e935951e6e16c41338cfb3270d30ced8a317e49737ea

Download Submit
memory/1816-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1816-46-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2056-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2056-6-0x0000000001F60000-0x0000000001F9C000-memory.dmp

Filesize
240KB

Download
memory/2056-13-0x0000000001F60000-0x0000000001F9C000-memory.dmp

Filesize
240KB

Download
memory/2056-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-27-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2616-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2752-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads