7790066db9a04d50657deab9e11fd30072a9e8c1353f030c4d06cebbd4b6c8e6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Size

80KB
MD5

c0f6765ba924d3dc3acdae77d9966d60
SHA1

db772312c7a4e5d3334cf237bc69c89ed1f002e1
SHA256

7790066db9a04d50657deab9e11fd30072a9e8c1353f030c4d06cebbd4b6c8e6
SHA512

1ebd4c04abbf7cb38b966c85884d460ed0b327018f122270ab323c5c27cc0ea51da529240b57b312813a2d0287220e8c9026094236dabd6bf73e1e9780368e4a
SSDEEP

1536:FhDgwEXL4VAH4upwF35/7SQihRs+/VxzDfWqdMVrlEFtyb7IYOOqw4Tv:FFeXRY3/73wVxzTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe

Executes dropped EXE 14 IoCs

pid	Process
4456	Mdpalp32.exe
1780	Mgnnhk32.exe
2360	Nnhfee32.exe
3952	Nqfbaq32.exe
4820	Ngpjnkpf.exe
4344	Nnjbke32.exe
604	Nqiogp32.exe
3328	Nkncdifl.exe
1176	Nnmopdep.exe
3788	Ndghmo32.exe
456	Ngedij32.exe
1704	Nnolfdcn.exe
844	Ndidbn32.exe
3728	Nkcmohbg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdpalp32.exe	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	3728	WerFault.exe	96

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4456	4280	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe	81
PID 4280 wrote to memory of 4456	4280	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe	81
PID 4280 wrote to memory of 4456	4280	c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe	81
PID 4456 wrote to memory of 1780	4456	Mdpalp32.exe	82
PID 4456 wrote to memory of 1780	4456	Mdpalp32.exe	82
PID 4456 wrote to memory of 1780	4456	Mdpalp32.exe	82
PID 1780 wrote to memory of 2360	1780	Mgnnhk32.exe	83
PID 1780 wrote to memory of 2360	1780	Mgnnhk32.exe	83
PID 1780 wrote to memory of 2360	1780	Mgnnhk32.exe	83
PID 2360 wrote to memory of 3952	2360	Nnhfee32.exe	84
PID 2360 wrote to memory of 3952	2360	Nnhfee32.exe	84
PID 2360 wrote to memory of 3952	2360	Nnhfee32.exe	84
PID 3952 wrote to memory of 4820	3952	Nqfbaq32.exe	85
PID 3952 wrote to memory of 4820	3952	Nqfbaq32.exe	85
PID 3952 wrote to memory of 4820	3952	Nqfbaq32.exe	85
PID 4820 wrote to memory of 4344	4820	Ngpjnkpf.exe	86
PID 4820 wrote to memory of 4344	4820	Ngpjnkpf.exe	86
PID 4820 wrote to memory of 4344	4820	Ngpjnkpf.exe	86
PID 4344 wrote to memory of 604	4344	Nnjbke32.exe	87
PID 4344 wrote to memory of 604	4344	Nnjbke32.exe	87
PID 4344 wrote to memory of 604	4344	Nnjbke32.exe	87
PID 604 wrote to memory of 3328	604	Nqiogp32.exe	89
PID 604 wrote to memory of 3328	604	Nqiogp32.exe	89
PID 604 wrote to memory of 3328	604	Nqiogp32.exe	89
PID 3328 wrote to memory of 1176	3328	Nkncdifl.exe	90
PID 3328 wrote to memory of 1176	3328	Nkncdifl.exe	90
PID 3328 wrote to memory of 1176	3328	Nkncdifl.exe	90
PID 1176 wrote to memory of 3788	1176	Nnmopdep.exe	92
PID 1176 wrote to memory of 3788	1176	Nnmopdep.exe	92
PID 1176 wrote to memory of 3788	1176	Nnmopdep.exe	92
PID 3788 wrote to memory of 456	3788	Ndghmo32.exe	93
PID 3788 wrote to memory of 456	3788	Ndghmo32.exe	93
PID 3788 wrote to memory of 456	3788	Ndghmo32.exe	93
PID 456 wrote to memory of 1704	456	Ngedij32.exe	94
PID 456 wrote to memory of 1704	456	Ngedij32.exe	94
PID 456 wrote to memory of 1704	456	Ngedij32.exe	94
PID 1704 wrote to memory of 844	1704	Nnolfdcn.exe	95
PID 1704 wrote to memory of 844	1704	Nnolfdcn.exe	95
PID 1704 wrote to memory of 844	1704	Nnolfdcn.exe	95
PID 844 wrote to memory of 3728	844	Ndidbn32.exe	96
PID 844 wrote to memory of 3728	844	Ndidbn32.exe	96
PID 844 wrote to memory of 3728	844	Ndidbn32.exe	96

C:\Users\Admin\AppData\Local\Temp\c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c0f6765ba924d3dc3acdae77d9966d60_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\Mgnnhk32.exe
    C:\Windows\system32\Mgnnhk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\Nnhfee32.exe
      C:\Windows\system32\Nnhfee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        15⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 400
        16⤵
        Program crash
        
        PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3728 -ip 3728
1⤵
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
80KB

MD5
b0473854603916acf1a23ac26b86f4da

SHA1
56d8e6faa9b703f69cbd70f613bb22bd65f2b1d7

SHA256
f0411f4f04a34b2f3b4e9e73d42030e164bd97c09163b1980a4d59e5665692ec

SHA512
8edf4f04874c6074be2fae58f88e10a0afbedfd4588706e00e5d224a346f38f1155b9993a8fc6f9d093b2ba8efe023dee56ed0b9686d2e0dd5e997d990c42c55

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
80KB

MD5
741cd34ec789ef666d2c2572d322163b

SHA1
2cd97b9f0125041f1e710342ac7af1bf6c56c4f2

SHA256
37ca7c6eb105057ccd2cb69c935517210c875e1c879e409e8f722cc4e6e81224

SHA512
bddcd69c1339c8117438a4443961e4578258c11fb3f7186f608f645b4ab751c12d65bead8634f075a392e84c5b960da3b6894fb620b4de68331def43c755ed90

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
9650d2c61d0c1d42a5c8dec928746bad

SHA1
dcaeef68e66be132b475720e77b27a387f382132

SHA256
a8d6127cd41f8ca7c24e915ba6f54c67f0938c9c8b64c1e05ba5a15688c7fcaa

SHA512
f561a79cc4fc2107c83d983374856a20321666389d152b9edaaa5b09ddf7004a107566afbb4a6673a626841f39eb61881b8af62a16955413f185bdaece68398a

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
80KB

MD5
2dd000f4306accc84e525be4b3c7e260

SHA1
ac394055e01d0f84d7e27c9632662ed3ab7e1d26

SHA256
340a7127514ce9633f092eced2e58624e92bf9a210007b771b3e74fe7b2acfe8

SHA512
97c9ab20afa8379e1386fe2290279f0c274d0b85f2a4e42b23ca58bc6060abbeaca847d28c681bc9b2e61bc7935aa4fd64a9800137dd3e87250c3ec9eacf4471

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
80KB

MD5
52acf6446d1a90183358e460ed4f9257

SHA1
fc0f52beab85ebd0568214ec2d3515e54875b91c

SHA256
9cb28eaa55a422442208a31d4cc661839760d80536368637cd0d38e16dce2de9

SHA512
c310979e3b506b803118dfd6b39b3b87c4c750396d62a4c509a6e3f054ace040b3c37b1d86bc80e53bad7571e31ea2e55d6066377ee68a3a308a535bd044d385

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
80KB

MD5
80adf22dfd839849a29ff305637b70c9

SHA1
9403997f890208cee6a119e68dfff0dbfbeea041

SHA256
dd3c7fa8e9a6c173bbb40026256d6e1ab2f12fe08a458923e12834fbae5b46d9

SHA512
0468d2e0c3863acaa06f43caf72bbf281abd7a77c8abe3a263a3d4c5c6578157d391adaa4e0125a69e5590d904295f2b0a2132d0329ca5da19d7d434a8102a04

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
80KB

MD5
37635dc22af596f507d350c6c6a96a32

SHA1
9af37a466c507914fd9147f32861a114ee811598

SHA256
34ff9c2013334cd451acbefc062a0961e9cc62f552557f5b73c57cd6b6f08abe

SHA512
cabb05847ee76b856a0113ddf7b7e1e71f077cae7e7e00bba78d9a4304c85cb3fbda355d0c0d4b3a2ff6d5b026dd6df3403e19e854602feb2b1096c1e7334169

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
80KB

MD5
907ae83bd6bf4d7f107f7fb40850253f

SHA1
00b5dcd3223eb29a21ddeac473ddfb4f5a4862e1

SHA256
7ec5bf531855d07188ab0068b4d72b096ceaa8f89109c68419f6bfd2a7f76019

SHA512
514c4607e85bb111d8051e50dc3fce4feafe4ea1b1e00878378d00c22f0e1865772b4b944952083ea5a3d9b88909546666c7c7967d57a2b279b7e9a5d31cf836

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
80KB

MD5
3b14a79eee9b540cf85fae0ec8858817

SHA1
3a21e4b71aba93dc352856c9f6e0ba920b786e02

SHA256
bec92a94b56953ff543be2a7abc27402be33e18bbd67641eb4577288026e49a5

SHA512
acf166a862f815e40dd978d431da8cd7aa3cd258118f9a77fde3cf5dd4198a3258e560b53eae03b1540fc775219393d7fae693707f3e3f7e0d1438318e9bf5e7

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
ad3e30cc0b900637773dcda8a6e63d68

SHA1
0bf09aed041ed5cb346e8cd95de7d1b525620dc9

SHA256
0f98661ac43884f42a008caf1b7a39b191ad8bf677303c46c89bbe34756052cb

SHA512
30758d3f023721a667aea90d761655612f8ff3c683dd2e66967467a315fe358a36a1d4e898fa85721f10e9bbbe1da9f22c43c532bbb783a3c29476a60b89dee8

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
80KB

MD5
7bd01df319727bdc7503773b46a854f3

SHA1
39979f25020ecf7807f721dd79fb0774aabbfadd

SHA256
abe9d72bf8fa8abcf6d9aa739023004872b6d080604db2d2153c2125d6acbe4a

SHA512
45af202708dc04477031c739b490c9a767fef9141d3aca064e381e0203c400e5038b01b22b5782a8c8834b012184f7ce17a35f9590b8faa852329ba8e1bed0ce

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
80KB

MD5
c56dcb93423e66f2bec99acb4ea04e9e

SHA1
e41c6e163f7d50447ae3584ff973444b5e76cb3e

SHA256
91e75d86e1c1bf8c8020a006529afab6f3ef6e4e7b9ed222fbec34b365b18584

SHA512
c9f1dd4663643e43b98aaba2a68b061571f10559da1cd5a0cab3e855411ddf07f19cbc6bbaa00b0f4a13ee59668ce8a748466fc1bed10334c64736083073024c

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
80KB

MD5
da1d564b6b4b3f71027dd0fe37cfc8e7

SHA1
46b4ecbd21f03bf05f5ec1e0df8ecc8e63b10bdc

SHA256
6acfcdfb5deb905e8e9a0c6f07f2c7dbdd76fa21161dc1ee876a984d74723493

SHA512
088c9bf85ca3ae952049c2def95cf786f2e3b0510dd59a93b2cec9faa48ac9e374ec00aedf23297583e7079103ef3ddf838d5916a6e15236f978c716dc526629

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
80KB

MD5
a3eec19b97f4c135faddcf15f11da92a

SHA1
687c49653cd29945df20ecabcab643448e0b14d7

SHA256
982c3ec4785ad75e85e6090e79b9310641c43f76cbe165086ccf44bb04bbf77a

SHA512
aa0917133846af08d3887e4e0fef03e0d69a21354527a55485527b95023e798e490f1e6a6e21d55218a09efbe726d13137dcbb443e4252540dd83b9eec135652

Download Submit
memory/456-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/604-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/604-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/844-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-116-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1704-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1780-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-124-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3328-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3728-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4280-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4344-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4456-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads