5fc74f6026b97aeea92a386ec2287c8917de93c59c139f86cab80d94539a48a8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 19:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Size

92KB
MD5

52d59f146ebd89068be25dafb8c9e810
SHA1

1744a91b65dfc8949f54db047014b55a41b3a911
SHA256

5fc74f6026b97aeea92a386ec2287c8917de93c59c139f86cab80d94539a48a8
SHA512

b474272106d581db4b6ac24007c09aa4c8ebc8783a402b6cd7c097a3ec7c9d146fa33586e10178efa9dfb788ab58356cfee67a08c7e1e88ebe55f481a7af895e
SSDEEP

1536:s3L5zvES9STGdfBlJGepSv/0ksK0Zlz/PCYYoOK0nKQrUoR24HsUs:sblh9C0R5pU8nCYfZ6THsR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe

Executes dropped EXE 12 IoCs

pid	Process
2940	Mdpalp32.exe
4920	Nkjjij32.exe
4460	Nqfbaq32.exe
3124	Ngpjnkpf.exe
2132	Nnjbke32.exe
4112	Nddkgonp.exe
2548	Njacpf32.exe
3900	Ndghmo32.exe
1332	Nkqpjidj.exe
1784	Nnolfdcn.exe
4168	Ndidbn32.exe
1432	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4924	1432	WerFault.exe	91

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2940	4816	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe	80
PID 4816 wrote to memory of 2940	4816	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe	80
PID 4816 wrote to memory of 2940	4816	52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe	80
PID 2940 wrote to memory of 4920	2940	Mdpalp32.exe	81
PID 2940 wrote to memory of 4920	2940	Mdpalp32.exe	81
PID 2940 wrote to memory of 4920	2940	Mdpalp32.exe	81
PID 4920 wrote to memory of 4460	4920	Nkjjij32.exe	82
PID 4920 wrote to memory of 4460	4920	Nkjjij32.exe	82
PID 4920 wrote to memory of 4460	4920	Nkjjij32.exe	82
PID 4460 wrote to memory of 3124	4460	Nqfbaq32.exe	83
PID 4460 wrote to memory of 3124	4460	Nqfbaq32.exe	83
PID 4460 wrote to memory of 3124	4460	Nqfbaq32.exe	83
PID 3124 wrote to memory of 2132	3124	Ngpjnkpf.exe	84
PID 3124 wrote to memory of 2132	3124	Ngpjnkpf.exe	84
PID 3124 wrote to memory of 2132	3124	Ngpjnkpf.exe	84
PID 2132 wrote to memory of 4112	2132	Nnjbke32.exe	85
PID 2132 wrote to memory of 4112	2132	Nnjbke32.exe	85
PID 2132 wrote to memory of 4112	2132	Nnjbke32.exe	85
PID 4112 wrote to memory of 2548	4112	Nddkgonp.exe	86
PID 4112 wrote to memory of 2548	4112	Nddkgonp.exe	86
PID 4112 wrote to memory of 2548	4112	Nddkgonp.exe	86
PID 2548 wrote to memory of 3900	2548	Njacpf32.exe	87
PID 2548 wrote to memory of 3900	2548	Njacpf32.exe	87
PID 2548 wrote to memory of 3900	2548	Njacpf32.exe	87
PID 3900 wrote to memory of 1332	3900	Ndghmo32.exe	88
PID 3900 wrote to memory of 1332	3900	Ndghmo32.exe	88
PID 3900 wrote to memory of 1332	3900	Ndghmo32.exe	88
PID 1332 wrote to memory of 1784	1332	Nkqpjidj.exe	89
PID 1332 wrote to memory of 1784	1332	Nkqpjidj.exe	89
PID 1332 wrote to memory of 1784	1332	Nkqpjidj.exe	89
PID 1784 wrote to memory of 4168	1784	Nnolfdcn.exe	90
PID 1784 wrote to memory of 4168	1784	Nnolfdcn.exe	90
PID 1784 wrote to memory of 4168	1784	Nnolfdcn.exe	90
PID 4168 wrote to memory of 1432	4168	Ndidbn32.exe	91
PID 4168 wrote to memory of 1432	4168	Ndidbn32.exe	91
PID 4168 wrote to memory of 1432	4168	Ndidbn32.exe	91

C:\Users\Admin\AppData\Local\Temp\52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52d59f146ebd89068be25dafb8c9e810_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\Nkjjij32.exe
    C:\Windows\system32\Nkjjij32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\Nqfbaq32.exe
      C:\Windows\system32\Nqfbaq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 216
        14⤵
        Program crash
        
        PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1432 -ip 1432
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kmalco32.dll

Filesize
7KB

MD5
ecf9e925b6f6599d60eb1fd27b6c0a04

SHA1
0ec2218689d8277ede6a2a5d9bfd7f02ce3c2a2f

SHA256
7dbe6dfb50f0bb60ab415bacae544ac81a4e14c67ce4c6e9cf9a7becdb9f87c8

SHA512
5af8e1d429a7cfd7f6d14f8be500d6a3d70df4f6aecb58dcec48909106c18b1866974b14897300e884c5c959a5f78b9045896adc7aa74b2dd8fc541ad95d7d31

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
92KB

MD5
3fb1c924cbffbc44898f5091dbe2452e

SHA1
3c5f775f2910485b18a614767b5832a09a7c896f

SHA256
f99fd0094bbe2525fa90a78a78101bad960d2ce4a1328efed9e75938a2fe221d

SHA512
1a020f6e327ef2b7112d82f8c667bc32dac26830d6509bc72920aa36afc5f936422b8709212b705f0cb5902f2fa297801a8f17e4217161347a56947ff691830e

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
92KB

MD5
28a1cbaaab83b33ae9b16c6bb0a93c11

SHA1
396ebaecb0012f04169aae5e6fe4042e12087bb0

SHA256
91a3ae50199d335d81f4a9df683d5205b9509448eca63a82303e37f72d90e779

SHA512
29a30412c364a617cbe0fda8e98b4de5e87deb9cacbb686299f8fd03f5cd0cabe992eeafdf53768f6c3b7a0944e4f9ef88d7e9dc43e380f7a8f0d05e4884d938

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
92KB

MD5
ae061acbb5ce87a2dcc04b69e66ca6ba

SHA1
2d486e38528345ed39c310a12c109d802c405fcd

SHA256
f4f772ea40f619feab2bf3f9372cd79ecad2b48bd7200537761e7a23ba3415a8

SHA512
a875753e20b06c4213c2a023fcfb26473c20cd7174315eb9c862d362c08d6ef40a184c0a2c3f9f7d7ebbbd6ead7290bd026969ffcc161858dcfd1e20aa06ccbf

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
92KB

MD5
e21c198ac452c387cfbd53c02258f4ab

SHA1
b41ee0edf2a7882b1ae4f4b98b455c410bbeb1fb

SHA256
bb4cf0d7973d7ea5a2985c7a84489004e8576015e171f5cf11a7ce5e347f6ff8

SHA512
fb9f0e624b8e7b2d5b8e5806104f123bb3c7177e78e24f8e8f88336029757750fd3fc4f66cd252b751fde7a554600e8ed29788676ca4f2ba36576b3e2aadc7fc

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
92KB

MD5
96b61d5bb1396cdd2efc7ad2d663fbdb

SHA1
fc647a8929ec25215a54ad455b45043b73197fbb

SHA256
c438733e662a100c12b2ab9c6d6e6168b772d1e68c5dc150f3cf7e85813aa228

SHA512
f77f671a3e9505498ce53fd0d559703dcf5cfde2a58e758991d0bca8ce58ef0a52ec4d06016e88fd825ba18c9b75b45a70ee50c1336b3f70686d3c08d8613a9a

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
92KB

MD5
cf9fa3bbbed2bc6f080408785e54ed43

SHA1
3f0fa3033897682c046eaae77ba5dcf2f72f1e8e

SHA256
56868f4f68aafa456a41292ffe5de568c434d4dca14b38fb007d4c90c4260fff

SHA512
988dda0614d9d9692d15c7b9cc66a6cdb48753e0c54b3141b8eb4e375cc0df4b8763e542d3e39f4a074ab606c8395431e93ea7581f7d9fec8bcabb7a2873425f

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
92KB

MD5
eac8ac0f0867c8d0e78bd38a34023b29

SHA1
7059068b2286394384653cd41e807298524385ee

SHA256
3f0488d61020ca59e0e0bafc0d12c4ae149b0704e59081d76fcbb28b1eff4994

SHA512
8961aeb2449805a823cf8e6a3ca4286c218b71b2275c5c64a0dab156de4563679118acda5e91424386793a1bf7ccf1e9dab0a5afedb649c1868ca11bdd6c1a8f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
92KB

MD5
f44547a33fa6386e598ef5ec26ef908b

SHA1
312374cc9ab0c551750d8ce1b5eaebecd8ce9a76

SHA256
80fbcca521b78a372bd18a9b90fa641a309de7d8e047ec394ba3cb49b2e90773

SHA512
15ef59be8a75861bda5b40bc67df4bfd2b4f22dc9c8174c8532fa4d3628022b8b3c0feb7a89796e6c3436b230bc07393090239cf2f99c76aadb59a434bbe80c5

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
92KB

MD5
0f3662feb46435d6a3c3e865209e0da2

SHA1
820c5dee04f8442d9592beb90d4195cba1b49aaa

SHA256
42852179bc5cfe2c622bdcc31baf2c5e215bb5b8ad553a14ebf91648b6b740af

SHA512
4ec6b96496905e8cbccbc90d4938768d6d7da45652c730d67dd3f35fd9049b100fdd688028c0f4018c72222cad864dbe61ec7c50a898ac79e8ce8cef8443e03a

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
92KB

MD5
a22f8a6da821578f70536ad0050f18ed

SHA1
4de51cd81955c23f4dfda848296df3019b906188

SHA256
24b2d46288889c44fe98cd553c6065b373878bddc63e2aeec1edcbc554eb5fc9

SHA512
195705f4772c94ed2caaa85894ee5a66d51fd300f6f31c1dba2a1f39cff5f139e6b6d2ddc3d416ed45b6acaf69cdf6d65bc0980f140fbd9e52aaec9867b3d6b2

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
92KB

MD5
a1360af7cfb7a17b9f1b6bdec7ddbde2

SHA1
16bac958224fc44495949e0a974a426942d1cdd8

SHA256
6d421f36689dd76b200b582a473f6099d69719797af9c4f29f942a23ef8794d5

SHA512
1ce428f44cabc5c41270e16de2b3d2b05c974196c3e5e58165d972c99be9fccead2713da0d71f1ba219c663db87f5e131d9add92c6e681a8e61dcc33328f4d48

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
92KB

MD5
650cea50a8cf12cfceb60fe6af6618f9

SHA1
214a7a3510c6928ffdda963d25f1f7329f20d222

SHA256
65d4a6546b0add1c9583a47b587d2ee9ec69a7fc3a6ccdeb75aef6e55aa4614a

SHA512
588e312734fc267f47a10f9a82d73088b1e38e4fd6e819c6cae1b4425cd4083018888e511f2221907329e7d76625cdcb97c84801ffb3ec52c82018532f04909b

Download Submit
memory/1332-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1784-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2132-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-102-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2940-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-105-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3900-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3900-101-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-109-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4920-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads