Malware Analysis Report

2025-03-15 05:41

Sample ID 240510-j3yb9acc7s
Target ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics
SHA256 c555849c52b9581bdb1f743c65fee52ed1f6e244d416f7c05a717cb92249072b
Tags
aspackv2 persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c555849c52b9581bdb1f743c65fee52ed1f6e244d416f7c05a717cb92249072b

Threat Level: Shows suspicious behavior

The file ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 persistence

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:12

Reported

2024-05-10 08:14

Platform

win7-20240215-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MFPOZCT.EXE = "C:\\Users\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MFPOZCT.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\svchost.exe C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Program Files\TPCM.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Program Files\ETME.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\TQKFXZF.EXE %1" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\MFPOZCT.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Users\\MFPOZCT.EXE %1" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Program Files\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\ETME.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\MFPOZCT.EXE" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2260 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Program Files\svchost.exe
PID 2260 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Program Files\svchost.exe
PID 2260 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Program Files\svchost.exe
PID 2260 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe C:\Program Files\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Program Files\svchost.exe

"C:\Program Files\svchost.exe"

Network

N/A

Files

memory/2260-0-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2260-1-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Program Files\ETME.EXE

MD5 4fc48221e37e2b26649829b69a76dd7c
SHA1 31e2a3a4fe96d445046d050b8125162122dbe84d
SHA256 c4ab45ace9905071de4868c67e3113bc12d0f8620db13a7999390e37452821b0
SHA512 52a0b0fbfa4f70e6e8da761f595880cf6699cf2e86e91b74631b0766794dc3d57e4d04e0c0fd4a8072a494a68295206246df74fc71747a9b333c61ae3a28390b

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

\Program Files\svchost.exe

MD5 8096bc4fe938ba40cdbb5af9efd2c31f
SHA1 86c66b9c58d410119e842647a81710cbb48c3e07
SHA256 f8f10aadbe55eef2f06e5c7951f19cd2e0c8d56958b28e0516a5b9c3786ef8b2
SHA512 60b3d14ce8c19178b1e6880517b599cee5383d7158371706f7f768028ab90675c5ddd7c8b749321b1fd1a96fe4c7b2de91f305b51851b5647fb23299ea544f88

memory/2668-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2260-32-0x00000000020A0000-0x000000000211D000-memory.dmp

memory/2668-31-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2260-34-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2260-30-0x00000000020A0000-0x000000000211D000-memory.dmp

memory/2668-35-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2668-36-0x00000000002A0000-0x00000000002A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:12

Reported

2024-05-10 08:14

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NYQZ.EXE = "C:\\Program Files\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GMNPFH.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\svchost.exe C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Program Files\CTHG.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\svchost.exe C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GMNPFH.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File created C:\Windows\NWIGDEL.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\NWIGDEL.EXE C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\GMNPFH.EXE" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\NWIGDEL.EXE %1" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Program Files\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Windows\\GMNPFH.EXE %1" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\NWIGDEL.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\NWIGDEL.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\ab99dc3adb4bc243ce9a8c6f6c0788a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Program Files\svchost.exe

"C:\Program Files\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BE 88.221.83.193:443 www.bing.com tcp
US 8.8.8.8:53 193.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

memory/1472-0-0x0000000000400000-0x000000000047D000-memory.dmp

memory/1472-11-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\NWIGDEL.EXE

MD5 20b776c79cb822c2684d9d249068a9ae
SHA1 bcf195c4a768b456c4c885463a9bba8b52d85669
SHA256 8d9ef25568e37e7082e2e12f8739c770f7f7ebf700179a7a2c46506554fc70c0
SHA512 cccf0ecc027fabd205f0f942b9803fb204d72d812a9cabe0ab3d0f5ce1923deb386db3247b486a267a1133f8c2e700c0cf238a646f8019838e4790363b8216f8

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Program Files\svchost.exe

MD5 70651247849a28a7d46b816391ddf3e9
SHA1 ec11bf5fb9135faabad0f444abcf8ece7ae187e6
SHA256 1b67bb657d28421c9860ce69e3c7e40e6e5a9d4a8fb9b4a4d05cfb25e96e4f2e
SHA512 140ad4ae7ea4e7b56c4a8cc217956ede243f109244f6e33f305a7a13aebb11b8e1d57028025227cd32a0515ddf14b91693a71d8448406d2d6aba2444948a1260

memory/2436-26-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2436-27-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1472-28-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2436-29-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2436-30-0x00000000023D0000-0x00000000023D1000-memory.dmp