b0d32547afd235ceab445a7ce105bb0391eef1e5060b2098bfdb75f8007354cd

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Size

464KB
MD5

315c6b95b9b034bde36b257a44544910
SHA1

febac56767aa538696615331941853ea5ef32ca4
SHA256

b0d32547afd235ceab445a7ce105bb0391eef1e5060b2098bfdb75f8007354cd
SHA512

4cd6dff12c4da5f87bdedc9779f70b76067433a332eeb625a4547739b481631edd75947b584151c64189319108bd2c438c7d69aa248b90579737d327c9e432fa
SSDEEP

12288:LxotTiah2kkkkK4kXkkkkkkkkl888888888888888888nusG:Rah2kkkkK4kXkkkkkkkkK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe

Executes dropped EXE 13 IoCs

pid	Process
2944	Mpmokb32.exe
3496	Mgghhlhq.exe
1732	Mjeddggd.exe
1532	Maohkd32.exe
3960	Mjjmog32.exe
2928	Maaepd32.exe
760	Mdpalp32.exe
2528	Njljefql.exe
1940	Nacbfdao.exe
1948	Nklfoi32.exe
3124	Ngedij32.exe
5116	Nqmhbpba.exe
2504	Nkcmohbg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2784	2504	WerFault.exe	96

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2944	3688	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe	81
PID 3688 wrote to memory of 2944	3688	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe	81
PID 3688 wrote to memory of 2944	3688	315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe	81
PID 2944 wrote to memory of 3496	2944	Mpmokb32.exe	82
PID 2944 wrote to memory of 3496	2944	Mpmokb32.exe	82
PID 2944 wrote to memory of 3496	2944	Mpmokb32.exe	82
PID 3496 wrote to memory of 1732	3496	Mgghhlhq.exe	83
PID 3496 wrote to memory of 1732	3496	Mgghhlhq.exe	83
PID 3496 wrote to memory of 1732	3496	Mgghhlhq.exe	83
PID 1732 wrote to memory of 1532	1732	Mjeddggd.exe	86
PID 1732 wrote to memory of 1532	1732	Mjeddggd.exe	86
PID 1732 wrote to memory of 1532	1732	Mjeddggd.exe	86
PID 1532 wrote to memory of 3960	1532	Maohkd32.exe	87
PID 1532 wrote to memory of 3960	1532	Maohkd32.exe	87
PID 1532 wrote to memory of 3960	1532	Maohkd32.exe	87
PID 3960 wrote to memory of 2928	3960	Mjjmog32.exe	88
PID 3960 wrote to memory of 2928	3960	Mjjmog32.exe	88
PID 3960 wrote to memory of 2928	3960	Mjjmog32.exe	88
PID 2928 wrote to memory of 760	2928	Maaepd32.exe	90
PID 2928 wrote to memory of 760	2928	Maaepd32.exe	90
PID 2928 wrote to memory of 760	2928	Maaepd32.exe	90
PID 760 wrote to memory of 2528	760	Mdpalp32.exe	91
PID 760 wrote to memory of 2528	760	Mdpalp32.exe	91
PID 760 wrote to memory of 2528	760	Mdpalp32.exe	91
PID 2528 wrote to memory of 1940	2528	Njljefql.exe	92
PID 2528 wrote to memory of 1940	2528	Njljefql.exe	92
PID 2528 wrote to memory of 1940	2528	Njljefql.exe	92
PID 1940 wrote to memory of 1948	1940	Nacbfdao.exe	93
PID 1940 wrote to memory of 1948	1940	Nacbfdao.exe	93
PID 1940 wrote to memory of 1948	1940	Nacbfdao.exe	93
PID 1948 wrote to memory of 3124	1948	Nklfoi32.exe	94
PID 1948 wrote to memory of 3124	1948	Nklfoi32.exe	94
PID 1948 wrote to memory of 3124	1948	Nklfoi32.exe	94
PID 3124 wrote to memory of 5116	3124	Ngedij32.exe	95
PID 3124 wrote to memory of 5116	3124	Ngedij32.exe	95
PID 3124 wrote to memory of 5116	3124	Ngedij32.exe	95
PID 5116 wrote to memory of 2504	5116	Nqmhbpba.exe	96
PID 5116 wrote to memory of 2504	5116	Nqmhbpba.exe	96
PID 5116 wrote to memory of 2504	5116	Nqmhbpba.exe	96

C:\Users\Admin\AppData\Local\Temp\315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\315c6b95b9b034bde36b257a44544910_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\Mpmokb32.exe
  C:\Windows\system32\Mpmokb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\Mgghhlhq.exe
    C:\Windows\system32\Mgghhlhq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\SysWOW64\Mjeddggd.exe
      C:\Windows\system32\Mjeddggd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        14⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 412
        15⤵
        Program crash
        
        PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2504 -ip 2504
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Geegicjl.dll

Filesize
7KB

MD5
33f78f7d23266bffe60843795b48e1d0

SHA1
73309fb31b962adeeff7258eaf187af86969d52b

SHA256
1692d60c8993293ee64df19da1c523c9045ac97a7db370378febd11c190ebd7a

SHA512
a1ec4d45937cd07ce15f02608182c0d4c3d5c90bb9c7d9cb5379823217e0c3768465aeee0a4a637d74507ed23eb117ba269bbbf6ab9bc0390f349643136eea3d

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
464KB

MD5
758707e202801a9ed218959ee1aedeac

SHA1
91a2593361bc43b81ed6d8bddff1cc2ff8d04974

SHA256
8e293930ffdeb42887cf1749ad7be67ac67e9a346a07d3b22967c4ef2a21f2e3

SHA512
609696a0d2f43aec2551c42556ca9fe4b085da046db27d77d55bc8333e668de9367168c2338a76f4572d0fc6ab9f509b5c3eb041eb7b91ff2f1f4c063658d95b

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
464KB

MD5
4d5113f9ed0093495afab4febadf6277

SHA1
e6551ba1dfd6ab6eb6ee916236321fd7aa696a14

SHA256
fa9c0080d22fbd58ecc1ce3a55fbf2ea6fa1c59e144ed4393d74a005783902c1

SHA512
13262bf5714c1cbcb8fffdf445e1d174daa363badd60995e6de22f604770803ff724d6a5d39b1723c607efb7de66b93fa0f432f39cd498cb88f203a90b1f5cc8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
464KB

MD5
519722f4e865f45fa663c9a86655bbff

SHA1
ae88f5f5d4020965bb404585aa5dcc9933fc799c

SHA256
16555ec1464950e58837ee0b65a8ec5b1617a66c4711c3d344c85a416677a2da

SHA512
b6a32d2d6953fb10f8ea47ff6cab1fd89dc622a2463c0125b2f571fbe98a4c83ad07711110abfc68f59711c3e812eaaa90eca8984f49fab02bd5518299f5ef81

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
464KB

MD5
4cd64c101738e6c63c69766fb8bfd0d3

SHA1
f53636374280269ac4f4de3c26bbe1d249510c32

SHA256
507576f1af73b4e29214b7cf47a7329567979d40ea8ac9ab2844d3a22f86aa47

SHA512
cbab3035ac955d29929ca2a35ae1a908724ea08f72cbffdab4bdbd83071a82d578246ac389569a8ddb91996d6abb376425597bf2ac9a67f273410f0f706e900a

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
464KB

MD5
9980cd8ea30abfee1091d62bb4b95235

SHA1
46b4030ab374b28055918e1d82bf8633df72324c

SHA256
ef6cfc33f4601ae13b4ed96447b2d671e5888b230a2210d18dc9d514d43cc526

SHA512
aec401b4e1b8e9d23679a7a7bff80dd74008aa64bd8eadec016ab321011c4d11217e83ae716bc4ab8bad3319bff34f83b6fe4387e927aab4ebfdb6e4da0f3eb1

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
464KB

MD5
e4ea190981deec158e72bdc0d1b1b426

SHA1
957edef836b79a6209d9d1c0aef7275bfbb96025

SHA256
d67772c247274ab42f82de6be5feef8668b9477ea4d9967c2e1b0bf77c994fb4

SHA512
bf7238ac0374b01755db7c7aa00251e67f9d0fd457032fdd8ee5bd125e60abfc0b1d9527e7bfd8d34ad36d0ae551f9563033c3cbd9e72b45ec15461a89b49f45

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
464KB

MD5
61b8846c5a0027b0493c1379df03d3a8

SHA1
18f24f987d30f0ff798078affe692f388e16fd31

SHA256
bb5b146ea9a0925ae815c707e84dd17cc7b0f6e9e746c0d26e03d478aaff7120

SHA512
f0536d382ffcedb6b28edd72f7b5df0d6414d4fe79ac1cdb1a6be8311008206638ba89029c194a3b1e988cc9b998cb32469b29f74e3cd3b00681e2dfb2a67d65

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
464KB

MD5
8ad257dfa1f6cb7a289bfd4117bb2d14

SHA1
ce4ca5c694a6632eadaae875c1f524e917aae332

SHA256
d1f5c773bd171454833c96215068d656e420d0ee2a20dbe03baed6ecd47fe61f

SHA512
199e633fcb86d664cfcb73d18f251d6ead2b20e9acc3ede217a8bb7157f6540965f605fa90d1eb3f3befbda99372d19b27dfc5f6d47c9789ad2a838c325de533

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
464KB

MD5
6fd08e8869c0c271464f888cd3955fc4

SHA1
87735c1b0c92c0f9276dd4266df6ac7f34cfe684

SHA256
3851eeaac258e0c1d05c113c2fca1dd6b04e14e8243c776204bf50e8a8aa5169

SHA512
7dc1bf312fc631d41ed063d4060b0c8b039265f442aeb57c4e680232275ef37e02a3a01b9981a7a1206d95d71daeffda3fba6fd1c1411169dd3e8a5856446e83

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
464KB

MD5
e7beb7e475a8d8a215212eeb6a2862b8

SHA1
0da20f413c219d2e12aa564893e8d1f378627bc1

SHA256
c11d35e6ee9a2c3060e839cb3d0302dcf47801391604f45bef8b6ffbfecb843f

SHA512
9f0dc4dabed79048ac430cc1ebe8a45f48309377c7b5a0c19522d4ea01953fead2196b8931b5a82052a87987f03346b84da8074bcb9cb43435210a38a8df103b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
464KB

MD5
864835524095ae4400920a3cc37d2cce

SHA1
32f4a459c53512a371d438d432bc8e95baecb6f1

SHA256
1b09cfed800a808f8b171c050db6e132ef8701206602fd08f06def5b2ba8a971

SHA512
e3cb23e9306d26bdd22c101d87119c21ec2339340615435f6f15f834c96bf4b7d8e1725e38818e650f0117d44ce2b20d4d1a3b482e9fc515af7ff61116104550

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
464KB

MD5
b7400495b0946c2081878b4a9e72f2d0

SHA1
f1e4429254b618a7b7c8abbb2179c96713797bc2

SHA256
fea170d76db01dd36666bed900fd83138d74b6438ba2e4b3fbdbd942c8cd4a7c

SHA512
15e8937a8c8c0e56bf4a863edea044db3a61fe30b3164985cc24aa27611e82fa2f33d9250193109f6349a35707dfca0858f02c79b7da2fb5b3fc8781d6644555

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
464KB

MD5
5ffa402c1766697ae4aece6f7cfabd6b

SHA1
6c3e226c02097b6634c41b48d83ff9755ece7e13

SHA256
d8fca2b883dc590009a02c1a7cfb0cd70eefbd4df8178d737adedf36fe895b8c

SHA512
4d28bebe6942f6262349e6f8cb648c3950d6acafcc630740e160ce57f36ff64ea9e281b3ae5afeaf72a67632944974c77db778788532c3e9701011802ea96422

Download Submit
memory/760-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1532-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2504-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5116-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads