Malware Analysis Report

2025-03-15 05:42

Sample ID 240509-3a3aaaga38
Target 1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics
SHA256 076f582028809d29b4d9c9bc51baa3d2114d963206cf6f11678d08e97565bcfc
Tags
aspackv2 persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

076f582028809d29b4d9c9bc51baa3d2114d963206cf6f11678d08e97565bcfc

Threat Level: Shows suspicious behavior

The file 1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 persistence

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 23:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 23:19

Reported

2024-05-09 23:22

Platform

win7-20240220-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\dllhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KVEXS.EXE = "C:\\Program Files (x86)\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\KVEXS.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svchost.exe C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\KVEXS.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\KVEXS.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File created C:\Windows\HAZDSKN.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\HAZDSKN.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\KVEXS.EXE %1" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Windows\dllhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\KVEXS.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\HAZDSKN.EXE %1" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\KVEXS.EXE" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files (x86)\\KVEXS.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\dllhost.exe
PID 2064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\dllhost.exe
PID 2064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\dllhost.exe
PID 2064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe C:\Windows\dllhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Windows\dllhost.exe

C:\Windows\dllhost.exe

Network

N/A

Files

memory/2064-0-0x0000000000220000-0x0000000000221000-memory.dmp

C:\filedebug

MD5 4a386121c2380fba6695a0b9acad9297
SHA1 9ad2f5f87391822f04e102b6f1e8ede03202f2a2
SHA256 5a34d7dba68b0e1ca2a89d52db92796cabf248b338a3ca1047b8e0a04b808a29
SHA512 33adbff344e51791473b01f5d7918d9017a5cee3af7669eca8edd20ff72ab2bfbf4ceb8df667ee6035d9529e7556ad809247c360e7c14f5e8fd27132e2263f5c

C:\Program Files (x86)\KVEXS.EXE

MD5 39ae64b4bdf70351969ae07fe6f58d07
SHA1 59f1728549ba6c1484f3bd73e52e64cb6953c6b9
SHA256 c20dfea083f5a98b3e83beb0ef9b2a37293efdd98afc34f784e9bafb7954ca34
SHA512 73dfe9def4f37ccb8f3f5eceb83d7bbfc8cdbf442754b9e97505813517669013952387cc7b90e180f50ddcd07bad0acd31e644f8b00738d62f47e649041d8bc5

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Windows\dllhost.exe

MD5 cccc6694316a88ab038b6ac828e63c56
SHA1 0d0b1ca2bfcd23ca9a3d5a1905958e3c7b7a0f52
SHA256 5620dc5b4877be59d5001a64bb5c2ebb71750144e21d204ef9291f84c84ce212
SHA512 365ecaecb7115b7a790c6a482b40f1963f19fcd0a9a07d7c2aaacb9021f4aca08370e184dd4a7f726acead322241f66fe182bd983fa72fc1e3abc38799079d47

memory/2932-27-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2932-28-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 23:19

Reported

2024-05-09 23:22

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\StartMenuExperienceHost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MQMIEM.EXE = "C:\\Users\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MPEP.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File created C:\Windows\BMDQBF.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\BMDQBF.EXE C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\MPEP.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Windows\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\BMDQBF.EXE %1" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\MPEP.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\MPEP.EXE" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\MPEP.EXE %1" C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\StartMenuExperienceHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1cada1ef42d67c7a676280da9ace71e0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Windows\StartMenuExperienceHost.exe

C:\Windows\StartMenuExperienceHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/212-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\PerfLogs\MPEP.EXE

MD5 a324a6f0d28b666b011d02f26ae4b8ed
SHA1 625d041b39dfe4904897c1fba2aae54eabc016fb
SHA256 e4793fc3fb0ecb76bebe7df34a2d2a958808cb6dff79b79e36e8163f9113d5ce
SHA512 c86a983c3dd81db8083bd086744255db42a182f4be0f6d7e1b6cfd1f321f345d6d9a0d9d702fb186e71c158f03947680c4d19aa7788a0937fe6275e6141fd35f

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Windows\StartMenuExperienceHost.exe

MD5 a59ac5db9a81d50b75030d0e3830b904
SHA1 79691cdbe3a496df069985495b9ecb916335adf7
SHA256 55e06ee8010d395d4a437820b9bc891d58a95658f679aaa0f07310503f56fd2f
SHA512 ab3faae629b54e00db23942b76f01efbad7843f4a9c7fe30e6837f1f6cce6aba31f88e855f57272593858a8989e8f82df47a3549cab252c49833ca3d51256ec3

memory/3540-25-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

memory/3540-26-0x0000000001FE0000-0x0000000001FE1000-memory.dmp