8c7b454b77391ce6e6bdf5140a51e43ed6d6fe13298a665efa94ef77bc5b7886

Analysis

max time kernel
141s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Size

448KB
MD5

920b945776a7b4c0df5b9709da101560
SHA1

cd02f075776fd21d77024ef5fd9f8c7ba788d097
SHA256

8c7b454b77391ce6e6bdf5140a51e43ed6d6fe13298a665efa94ef77bc5b7886
SHA512

303cba19bef4ea53cc5457bb60e4cee25c96a5b82a129e989ee01d53543111f9aa1f4305ed06d727356f7ba0142ee192ae89a54223962a69d0a3013fd705381f
SSDEEP

6144:5Zqp8OpenJmJT+zxiLUmKyIxLDXXoq9FJZCUmKyIxL:5EpfpeYTm832XXf9Do3

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe

Executes dropped EXE 15 IoCs

pid	Process
4004	Oanokhdb.exe
1548	Oabhfg32.exe
2168	Pfoann32.exe
1280	Pdenmbkk.exe
696	Pffgom32.exe
884	Ppolhcnm.exe
1360	Qacameaj.exe
1160	Afbgkl32.exe
404	Amcehdod.exe
1656	Bphgeo32.exe
1468	Ckbemgcp.exe
4084	Caageq32.exe
2420	Chnlgjlb.exe
3284	Dahmfpap.exe
4596	Dkqaoe32.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oanokhdb.exe	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Oabhfg32.exe	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Amcehdod.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Amcehdod.exe
File created	C:\Windows\SysWOW64\Ibmlia32.dll	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pfoann32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Occmjg32.dll	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Qacameaj.exe	Ppolhcnm.exe
File opened for modification	C:\Windows\SysWOW64\Amcehdod.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Kpibgp32.dll	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Pfoann32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Afbgkl32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Eignjamf.dll	Qacameaj.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Caageq32.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Pfoann32.exe	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Ekaacddn.dll	Oabhfg32.exe
File created	C:\Windows\SysWOW64\Pffgom32.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Chnlgjlb.exe	Caageq32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Ppolhcnm.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Ppolhcnm.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Ckbemgcp.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Bphgeo32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Cnffoibg.dll	Oanokhdb.exe
File created	C:\Windows\SysWOW64\Pdenmbkk.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Amcehdod.exe
File created	C:\Windows\SysWOW64\Iohmnmmb.dll	Afbgkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bphgeo32.exe	Amcehdod.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
392	4596	WerFault.exe	105

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignjamf.dll"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pffgom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll"	Ppolhcnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnffoibg.dll"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdenmbkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qacameaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Occmjg32.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdibc32.dll"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmlia32.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjehnm32.dll"	Pdenmbkk.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4004	3400	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe	91
PID 3400 wrote to memory of 4004	3400	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe	91
PID 3400 wrote to memory of 4004	3400	920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe	91
PID 4004 wrote to memory of 1548	4004	Oanokhdb.exe	92
PID 4004 wrote to memory of 1548	4004	Oanokhdb.exe	92
PID 4004 wrote to memory of 1548	4004	Oanokhdb.exe	92
PID 1548 wrote to memory of 2168	1548	Oabhfg32.exe	93
PID 1548 wrote to memory of 2168	1548	Oabhfg32.exe	93
PID 1548 wrote to memory of 2168	1548	Oabhfg32.exe	93
PID 2168 wrote to memory of 1280	2168	Pfoann32.exe	94
PID 2168 wrote to memory of 1280	2168	Pfoann32.exe	94
PID 2168 wrote to memory of 1280	2168	Pfoann32.exe	94
PID 1280 wrote to memory of 696	1280	Pdenmbkk.exe	95
PID 1280 wrote to memory of 696	1280	Pdenmbkk.exe	95
PID 1280 wrote to memory of 696	1280	Pdenmbkk.exe	95
PID 696 wrote to memory of 884	696	Pffgom32.exe	96
PID 696 wrote to memory of 884	696	Pffgom32.exe	96
PID 696 wrote to memory of 884	696	Pffgom32.exe	96
PID 884 wrote to memory of 1360	884	Ppolhcnm.exe	97
PID 884 wrote to memory of 1360	884	Ppolhcnm.exe	97
PID 884 wrote to memory of 1360	884	Ppolhcnm.exe	97
PID 1360 wrote to memory of 1160	1360	Qacameaj.exe	98
PID 1360 wrote to memory of 1160	1360	Qacameaj.exe	98
PID 1360 wrote to memory of 1160	1360	Qacameaj.exe	98
PID 1160 wrote to memory of 404	1160	Afbgkl32.exe	99
PID 1160 wrote to memory of 404	1160	Afbgkl32.exe	99
PID 1160 wrote to memory of 404	1160	Afbgkl32.exe	99
PID 404 wrote to memory of 1656	404	Amcehdod.exe	100
PID 404 wrote to memory of 1656	404	Amcehdod.exe	100
PID 404 wrote to memory of 1656	404	Amcehdod.exe	100
PID 1656 wrote to memory of 1468	1656	Bphgeo32.exe	101
PID 1656 wrote to memory of 1468	1656	Bphgeo32.exe	101
PID 1656 wrote to memory of 1468	1656	Bphgeo32.exe	101
PID 1468 wrote to memory of 4084	1468	Ckbemgcp.exe	102
PID 1468 wrote to memory of 4084	1468	Ckbemgcp.exe	102
PID 1468 wrote to memory of 4084	1468	Ckbemgcp.exe	102
PID 4084 wrote to memory of 2420	4084	Caageq32.exe	103
PID 4084 wrote to memory of 2420	4084	Caageq32.exe	103
PID 4084 wrote to memory of 2420	4084	Caageq32.exe	103
PID 2420 wrote to memory of 3284	2420	Chnlgjlb.exe	104
PID 2420 wrote to memory of 3284	2420	Chnlgjlb.exe	104
PID 2420 wrote to memory of 3284	2420	Chnlgjlb.exe	104
PID 3284 wrote to memory of 4596	3284	Dahmfpap.exe	105
PID 3284 wrote to memory of 4596	3284	Dahmfpap.exe	105
PID 3284 wrote to memory of 4596	3284	Dahmfpap.exe	105

C:\Users\Admin\AppData\Local\Temp\920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\920b945776a7b4c0df5b9709da101560_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\Oanokhdb.exe
  C:\Windows\system32\Oanokhdb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\Oabhfg32.exe
    C:\Windows\system32\Oabhfg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\Pfoann32.exe
      C:\Windows\system32\Pfoann32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        16⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 420
        17⤵
        Program crash
        
        PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4596 -ip 4596
1⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afbgkl32.exe

Filesize
448KB

MD5
17d74cce02507011c7888bba22f98e4c

SHA1
25ff907f5cd23020421c0b711686be8ae5a5e013

SHA256
21a2fdf160f54a2ab519ae8e0f5b01426a42988eec4437c97761f770fd8ebffa

SHA512
03322b797f18652d1f3c31de7ccd4425893641f67fc801326243347c04369044bfae93250fa86c507b728fe3768eb88ad1e1d45e123f61fc33a5b5b9706296c2

Download Submit
C:\Windows\SysWOW64\Amcehdod.exe

Filesize
448KB

MD5
0deb92cf3a41cbb56a1b086979616433

SHA1
237b4deac6f076afad4c298857e9020ed5dfd202

SHA256
13979398e83c143a0c99cf6c3adfdd8377a73e941dfb3ccd72f6a6db23f6d4f1

SHA512
df71a55193c8eb4d1fb001db11c3dc4363bf8a074462afa4374fc02c9bb65176275fe83afec9221e2756ab1ac8c49910557e8a2793f3fd1dabeda9ee77fc459e

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
448KB

MD5
54a9eb53236cdabe730aac51b14ff187

SHA1
f15f5a26544bbec762f938a9ed36294780be6f47

SHA256
550eb04a2fa0bfaf00a5349f3e74cc29ab85bd2efbd295108533302f096c0903

SHA512
148aa3163ad91be3d6acd042ce02b985ae838a552bbe8dee53d4be475ebd6b1543bb101481d4970bc78c07cbe521b00763848ce9b4f4917197fa6a21ce0d093e

Download Submit
C:\Windows\SysWOW64\Caageq32.exe

Filesize
448KB

MD5
1c576896e2593da5c9649440e89dd0fe

SHA1
3d7dcec1df953de79e8cf8bf218279f838441389

SHA256
3aec634328e9a0ba952555effc96c6f8c0802240563cd5536ae673964f188112

SHA512
047714c9af2ff786a19a2888c99a467cab0010def2af97313240c667a876c181fd1a2257c9efc82c96ba9840717c7285ceb009f47e35c88359a12d26a387ac00

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
448KB

MD5
6b8f475ff0832422bc9deb29831244db

SHA1
a6ed963183fc7935caad33f6904fe2936581f45f

SHA256
0d165f27d6d0d5025632ce411ae8b548a66a433bc3fe6255d5dad84aff38826e

SHA512
fd150177c3ebf10830f2d33a8f09452231a8d2532469b2dd36f711bdcba5ce393c05e3c5884b61d500b68c2a51aefd2d1c4b301674e1a079ee7759f3f6109875

Download Submit
C:\Windows\SysWOW64\Ckbemgcp.exe

Filesize
448KB

MD5
3e2b565a516e560a1e7b28629d66f5b5

SHA1
a846b8bd5be527dbb70cf54522e6c4d5568bbf30

SHA256
35194d0aa81b19e20bbcd0bbf327b315725d648b2fe4360af5ea75eea8b81bd1

SHA512
5f2efcc8b2bd4429fb7dbaaa6210c1cc849548039ea5164158d9bf8d1db46f0ef36f314ef5bd584419f18fce298f39fd21d04cf3803f93f7614cb7bc4463420d

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
448KB

MD5
1ee2fc6fb5be80ffa6c50871d71aa2e2

SHA1
cc786d32fadcd378af56b4f981dab37580c1a7bb

SHA256
60f135c2470f261fe239dca1b95e8c2d8bb6796caeab4b671cd4a7c0c49618ae

SHA512
0f606ee950643b542d9432f0e887de2239978bf5394debfa823c6e64a682b750947760d578ea44857ddfb0f682bb50b596c192773ff31fe6622bb8ce4556a787

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
448KB

MD5
53e4f902cd5d70860a2fca8a8bcf3d43

SHA1
01b03555da73312146699f52327aa3d53d56eb95

SHA256
5c99bcc69db13641664187de9ff3e3b6fc3313848ca66068f44f685bf3be2fe1

SHA512
320bd5731dd0b54258d0c06f67527055be36934246a0ad36b5d18fc272cc166d68c81cb046507f3208c0ca9359c2c636851acff032da5ab063f55dac4e066aca

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
448KB

MD5
a4493b252ea894cf0f7c09927b862b05

SHA1
034c8e92f1f2353f97df5fc693c55e447745ebe2

SHA256
9f97a6f18282a432da5dcde953a13788290d2f6ea2e2f06ff2fbaa1a9becd882

SHA512
5cb615fa6a04abdeb5e1e6a3ec84a70a8d9552a6eb38b477e6c9e4ccc96067d7dda3cbb01336618ca073339ff0e6532959e98a8f0c40d0e58f9bbaab23954991

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
448KB

MD5
cfcae643dee67548b978a379876fc655

SHA1
b2167075c17f2b0b939969e8c3564aacf26e4f0b

SHA256
150d3a56e3f4c7a22baa98e326752df1ce1fe37c155a54cf7f738192f6baffdc

SHA512
c09b15376feca3af1049af8438e6f0f3a8a5e8ab48112bc2bcfdfb6a7685b06524de40931cdbe2d7c73d84db22303ad7f4eaa23c95ae008a51efe6df05182a4e

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
448KB

MD5
145333bef329fce2cfdc893da8a9e10c

SHA1
52eeaa09cedaebe957c551a4806556f9f15fc40b

SHA256
3634046ed7e77520984360556583eb72a6d0901219cdfab497c4a7dfd1809e37

SHA512
30fb3e249f407058e790786cc1132c103f3d6ab42e284924b28951b99992ebe4561c96a407af1a0a87f1ae6f36ba5f9a46c702403938a5dfef3fe14177fe1d76

Download Submit
C:\Windows\SysWOW64\Pffgom32.exe

Filesize
448KB

MD5
cfef1e54201ee06cb64aa0594665146c

SHA1
c0a32f0803acb1859e512b1a5fe52c9ff08eb256

SHA256
3bf56810d47f22c32ff0a7f516bf5d7a046f5341288143853be6097ce18e9a5d

SHA512
052343c838b95a9923e012b2acc5365e57f767604554a8c80b3423c64bdce63ea67a36b9d1e6ddb4960931acad7b24108c8fede054d2f605818a7d40edfa5cc7

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
448KB

MD5
4d087841071d7ae173137065845534fc

SHA1
878f7137a847410ec308076b3d4fa1005c44cf18

SHA256
f4aa80221c20724055dca41e3f7aa695b65ddc63b52cbd1bd8c1a12feb04e614

SHA512
31fc9b91cae953c63f808aeab5f264bc48d3179ae4bc575e64930a1dbc9b4134d7e635ef500a99f659642f12d867e5d7f937f006ea6310d4d0b063af8efded1e

Download Submit
C:\Windows\SysWOW64\Pjehnm32.dll

Filesize
7KB

MD5
3c9a48f276eaaff67531c4a23d395b4d

SHA1
f6f68fe45c2cb458805e4f34f2394778a3a52627

SHA256
e2a03eba30bc061a2061c6934ca138b616aa4aedf6713e0c503660d189d64d9f

SHA512
0bddb68451e6c0894baea2e431af61ae934962b1ee8fae65b742062fb954f2e465b52f3374a36f080f380b0191d21b603fe24dcd60f72b80a5973e5e68051ad4

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
448KB

MD5
1e269104d374a7d641ba7564370f5e13

SHA1
2e9de8983814d7a97fb9a20aef492c22ea736453

SHA256
a8c8e8d58ab177e2370b4522d947ff55c83e2959a6edb7277f4fd5273e18fe35

SHA512
b918311852583d00e74d414cf95158e1aaf37a24a0919356fc46387cedebced3d7ef4a312b3b26f6d894b2f7ab3438ca01b63ffb6a1eab9af6af52b7834759c1

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
448KB

MD5
6a5d43eb4d468fb301e7b7a1756945ed

SHA1
ed57f9e9a10e1f66b41de6945c0f2036d31da2c1

SHA256
ed138048c7c190252e202571413114369ece78c585e9b78244e1d4d2d86787e9

SHA512
57bef666d358d8d97e3b3def382d4745b9ee746f530a4a7074972681f330e1c3c7b035f23a0344ac2b59812cda5fa6c368f98cbba025b994aef59ac1102136ac

Download Submit
memory/404-73-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/404-148-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/696-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/696-158-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/884-49-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/884-153-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1160-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1160-150-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1280-33-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1280-157-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1360-56-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1360-155-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1468-88-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1468-145-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1548-21-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1548-162-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-147-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1656-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2168-160-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2168-24-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2420-104-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2420-141-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3284-139-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3284-113-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3400-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3400-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4004-164-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4004-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4084-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4084-142-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4596-136-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4596-121-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads