217f30afacca7e8cef595b0fd55a67a68649202177088c2ccfca557ad12d81c2

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Size

128KB
MD5

3b61ef24242dbf57f77bca78a1e54a10
SHA1

797f42f754057638990e069fa5ae0eea4cf60f80
SHA256

217f30afacca7e8cef595b0fd55a67a68649202177088c2ccfca557ad12d81c2
SHA512

ccc640d9e7fa97185208ffd22945cb5c8b59263b616f08b2e62886a6969303f289f0e7ed72766fcfdb04ffaea6c7c2463cc0a722323ecc8c5d911e8979fea0f8
SSDEEP

3072:O60vNC5EbnmlMJ36oo/PxMeEvPOdgujv6NLPfFFrKP9:OxgWmla6T/JML3OdgawrFZKP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe

Executes dropped EXE 15 IoCs

pid	Process
4316	Mjjmog32.exe
4216	Mdpalp32.exe
4212	Njljefql.exe
4552	Nacbfdao.exe
4640	Ngpjnkpf.exe
4484	Njogjfoj.exe
448	Nnjbke32.exe
1304	Nddkgonp.exe
3440	Njacpf32.exe
2036	Nbhkac32.exe
944	Ngedij32.exe
1948	Nkqpjidj.exe
2872	Nnolfdcn.exe
3496	Nbkhfc32.exe
4596	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1748	4596	WerFault.exe	98

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4316	552	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe	82
PID 552 wrote to memory of 4316	552	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe	82
PID 552 wrote to memory of 4316	552	3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe	82
PID 4316 wrote to memory of 4216	4316	Mjjmog32.exe	83
PID 4316 wrote to memory of 4216	4316	Mjjmog32.exe	83
PID 4316 wrote to memory of 4216	4316	Mjjmog32.exe	83
PID 4216 wrote to memory of 4212	4216	Mdpalp32.exe	84
PID 4216 wrote to memory of 4212	4216	Mdpalp32.exe	84
PID 4216 wrote to memory of 4212	4216	Mdpalp32.exe	84
PID 4212 wrote to memory of 4552	4212	Njljefql.exe	85
PID 4212 wrote to memory of 4552	4212	Njljefql.exe	85
PID 4212 wrote to memory of 4552	4212	Njljefql.exe	85
PID 4552 wrote to memory of 4640	4552	Nacbfdao.exe	86
PID 4552 wrote to memory of 4640	4552	Nacbfdao.exe	86
PID 4552 wrote to memory of 4640	4552	Nacbfdao.exe	86
PID 4640 wrote to memory of 4484	4640	Ngpjnkpf.exe	87
PID 4640 wrote to memory of 4484	4640	Ngpjnkpf.exe	87
PID 4640 wrote to memory of 4484	4640	Ngpjnkpf.exe	87
PID 4484 wrote to memory of 448	4484	Njogjfoj.exe	88
PID 4484 wrote to memory of 448	4484	Njogjfoj.exe	88
PID 4484 wrote to memory of 448	4484	Njogjfoj.exe	88
PID 448 wrote to memory of 1304	448	Nnjbke32.exe	89
PID 448 wrote to memory of 1304	448	Nnjbke32.exe	89
PID 448 wrote to memory of 1304	448	Nnjbke32.exe	89
PID 1304 wrote to memory of 3440	1304	Nddkgonp.exe	91
PID 1304 wrote to memory of 3440	1304	Nddkgonp.exe	91
PID 1304 wrote to memory of 3440	1304	Nddkgonp.exe	91
PID 3440 wrote to memory of 2036	3440	Njacpf32.exe	92
PID 3440 wrote to memory of 2036	3440	Njacpf32.exe	92
PID 3440 wrote to memory of 2036	3440	Njacpf32.exe	92
PID 2036 wrote to memory of 944	2036	Nbhkac32.exe	94
PID 2036 wrote to memory of 944	2036	Nbhkac32.exe	94
PID 2036 wrote to memory of 944	2036	Nbhkac32.exe	94
PID 944 wrote to memory of 1948	944	Ngedij32.exe	95
PID 944 wrote to memory of 1948	944	Ngedij32.exe	95
PID 944 wrote to memory of 1948	944	Ngedij32.exe	95
PID 1948 wrote to memory of 2872	1948	Nkqpjidj.exe	96
PID 1948 wrote to memory of 2872	1948	Nkqpjidj.exe	96
PID 1948 wrote to memory of 2872	1948	Nkqpjidj.exe	96
PID 2872 wrote to memory of 3496	2872	Nnolfdcn.exe	97
PID 2872 wrote to memory of 3496	2872	Nnolfdcn.exe	97
PID 2872 wrote to memory of 3496	2872	Nnolfdcn.exe	97
PID 3496 wrote to memory of 4596	3496	Nbkhfc32.exe	98
PID 3496 wrote to memory of 4596	3496	Nbkhfc32.exe	98
PID 3496 wrote to memory of 4596	3496	Nbkhfc32.exe	98

C:\Users\Admin\AppData\Local\Temp\3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b61ef24242dbf57f77bca78a1e54a10_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\Mjjmog32.exe
  C:\Windows\system32\Mjjmog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\SysWOW64\Mdpalp32.exe
    C:\Windows\system32\Mdpalp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\Njljefql.exe
      C:\Windows\system32\Njljefql.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 412
        17⤵
        Program crash
        
        PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
128KB

MD5
f58f38ff01e0e54566891e89f1ae8920

SHA1
52c720afacd22b40f0a58e1e45a4a362e81a0750

SHA256
553c7ef5b975222c41118d43365322d0725dda64dcd17071f192970d884db5b6

SHA512
914d0af2d82a9be0fe923b3a0fcf8ff2156d2b33c1dea4d5c724201f726963962a50e7d5effa5b32d2f6668080c4435bd80bef29945d58586d3ac8b57baf5b50

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
128KB

MD5
3bcdaf531e83045696d1e1c8f97956e7

SHA1
4a40c020429abef164ec7f660c5e2d916d1be1ab

SHA256
f5d37294530a2a0ddfa96da04c870329f3a48edafbddedd8a048864b64423eed

SHA512
db4c614784ec378fa8ded7a30da12807c47312feda137798369d100f78101c8b0bf36bb1f9218c11076a2927b014b5fcefbf5552a74431d3bfa589db0d8c88a1

Download Submit
C:\Windows\SysWOW64\Mlhblb32.dll

Filesize
7KB

MD5
909cdd381dc740d608b74fee3e192ad5

SHA1
08baed9fa198f7f951fdf965eab6430e45ba9f4e

SHA256
8d2dd6e4e2b1959afc271ac684f605207bfc0caa6e9a0cc0e29c363ba78349ed

SHA512
c992a19aa0ec6517cbf866bc55646339ce3cccba7925d9cd050ddd9ffc74d7adb47e0fb0e8972b19adb33c8b0e82837b92d0e0040b67b308643128e085eaa304

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
128KB

MD5
e334cf055adaed5469590b304845cb85

SHA1
89c22b24dc8d41c408dfd8f28562e2cbac4a077b

SHA256
f90db773d5543360bba8ba8b84c3e4368017b15f4fef1f405093941ab0f1690f

SHA512
2f14369dcb2a9d52e140d801da4f07664cbe8ccb0cc22b7e13adf270590bd227f85575db4b89af1cbd1cdf7911c83dce1627eaaca8551229af34469b3a516a2c

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
128KB

MD5
1e51e36850f2b5d549954293936a7fe5

SHA1
d49a6f631e4cd63cc8fa43923ba1b22b6c12b022

SHA256
70d1e788b6de6c710ed56b06bdb151ef4ec0a7c5a1675547e42329caf5f6e1c1

SHA512
20f836f2e427f44de38112c617ee1c3ba07bb01d726822be0c47e17cff57e26126540b043001e3273ef3cdce54b2df01d53b8aa3b5d4828a56153adac1354b4e

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
128KB

MD5
b1ac272eaa064e533d473d2e21572953

SHA1
40d449b6d9994338dd795a7356dfbd18d1833189

SHA256
766c409941db0470d2462d902df03d37e26fdc86cc67fa57b768f26564b89397

SHA512
e7ab9ff346139313795fa4f87333a3e1c49857c2efdc453a1823a4474b6586102c49ea864c30f2bc8c34401da1e5858ed6aa865f42425d3da096af9771f5789c

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
128KB

MD5
50e1db306a6717ed008e306dc81114b3

SHA1
efb2f6ed2d63d32fb7f2f19a647aeb1b5370b4e9

SHA256
8ba79afbac9cc06703eccf68a04c553963dcee65f93fdf89d752fbd16dc7bafb

SHA512
2ead1d73d698493c34f5ff2811137090fa63ccb2227567ad1a76e56810f6a615062f63e9d414f8d30ae4f81a05066be110acf38bf784b4b0316da2395c8024b9

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
d47544c784b175ad1048b0b0bf0082f5

SHA1
ff4379a0a9e5aa05025d9806369ee8dad42d0d8e

SHA256
6c333d34f66f4e2043d688c46ac20f788c49bc7782a83d7f619811ef0de48dd2

SHA512
dcf644a753c9abdc3973b04e5583cc6c39939e596f85634e12e9340d18f6008a5473c822d662dc3a59c8e44eda3b9c15f548202ed66f0e979b27d0b8754312bc

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
128KB

MD5
0c2d059bf9c77390bd8dc9a6fcedc155

SHA1
02897acf78ad1a8f59b22d687d4d6694ebc0efe7

SHA256
9fda6e62168f2b680fc09d09ab4a5729267c9bc05850a7260f0d99da600c86e0

SHA512
271a4e116448ccd704711be90620e8c1f1b944a5a92b677d218b94252335cfde4248725e809403562a2e9f8fc48bfa11e8229dfb4c7eb66cbfb2b5b0fab46bab

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
128KB

MD5
8d7c6568a5c494e68fd3f870cfb879d2

SHA1
466bbdd355e16eea38d0222019e3844f5e6e5710

SHA256
69b4279fd7a7ca9f221c0b14c79c97801e4de0679c90be753f6b7f4ce252d8ac

SHA512
be9e5e59e31d3ed4077717084185cc89943cee6f157b3ee81372d4341d69c40f7fe0126673559c0ee7cd4078947859a7c08693d029cd50ac6d2c1f72cdd95070

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
128KB

MD5
fadd1d4e431c7720dfea018a52ea4acb

SHA1
72c0fd2e824d739cf8202fa7edd4a0f4ee4e598f

SHA256
ddbe6c976d8256f1bfc2f4a9f8bb899ad2408f7626c917f8a31fec407a229256

SHA512
df5cdcf28d7b7c0768defece4250af4cb9acd59c4c57a25056e69327356d7e6d2ae15f9cc8593c0b309b3c9d73e8d61f1f7dc32ff4c95fc2be748baf57639f16

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
128KB

MD5
79b324a5945fc7587543bdbaf1a5babb

SHA1
58f6c65bbe3c8029b0c58dd7995d71744281e42a

SHA256
7a44695c5d375837035cb7f0afabcc46c51ce9e0b297c5dd382f224dbe5c3d10

SHA512
8f968979914961dece7169f8d6a344f89f10cbbb59424c6315f00c1a74f4a2bb4e35cb73c0a259d344ae4fb98cc67e7bfbaf54ff6c7ea3022b1acbfe2eba3a19

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
2c49346a6029fba77309a8201ec59b66

SHA1
4ceecae722cb31512e7160488a3a3b7c32d67270

SHA256
ac39fc7e4cce56452dc46113a508cc18db2a4a9b40fdf9453034aceeaf1681fd

SHA512
d6a88063cb1fb74e827f49d67edb2d61301004b91315873463cb00d650146a25a3a91a612ff49a7bf69e4e0125c1177b15ff6f91555255be0f47cf94cb829ea5

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
128KB

MD5
83c0b62658b6809fd43bc8e6a2718a1a

SHA1
12f6e7e4bb1f434aa850af9303a3ad81bdd2ed8a

SHA256
f5f1771badc6d37ad4e532d81e17db98c8d3929a22e70a68c76ebddf815a4557

SHA512
e8cece4458c0fe9a5d365284505e69f4cd73b0926f87e6922d863db54b8fa5f99973f788a91ee0398ae0f81b53efa9a71719d6f74e2d4b5e0c4e36ff453139bb

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
128KB

MD5
6a6cc65d9ab87d288229ce737a76d4b4

SHA1
e8c4e63700df18bcf752f2edfe92766baa0031e5

SHA256
6eed4b5aff9dfcc3279864915784559c513a3b329ba800991d7f57bce2e8e17d

SHA512
cefb636e9fe1b9769f0e60976649b08d327eda13ed3932e5d6a541642804110d10ffc8d9bc05af42eba155d67752c8fabd2c6399aed4fab6a4c6a5e3a2908b4c

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
128KB

MD5
bbafdcedc4a11e79e71f91bc487f31bd

SHA1
4f026e92ddd0e47932ba1c42e34b8099d325384c

SHA256
137959fc83d5a821a09f306daffc8894a15dc01e5825acb39e9226de92e52d9f

SHA512
ccb2bfb3a5d03cf990a8adeb9103a56f61cad9dcfe155ba2564a7a7b35b774e7086bc015bb187dc0e05977fa19fd341d0148292849fd02c5b8531572a0d11d18

Download Submit
memory/448-130-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/448-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/552-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/552-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/944-94-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1304-63-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1304-129-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1948-101-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1948-127-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2036-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2872-112-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3440-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3440-128-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3496-124-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4212-23-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4212-111-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4216-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4216-100-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4316-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4316-93-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4484-52-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4552-123-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4552-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4596-126-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4640-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4640-131-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads