20e4e5ae7a38c885bf33a4729fe4006e5bb89725e0860391a0d11f6e571563e2

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 16:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd5a4d63b02368481081d9e0a41a3070_NeikiAnalytics.dll
Size

761KB
MD5

cd5a4d63b02368481081d9e0a41a3070
SHA1

33bc63c4a1ca64dbec729eee892ca1870bdb1a1c
SHA256

20e4e5ae7a38c885bf33a4729fe4006e5bb89725e0860391a0d11f6e571563e2
SHA512

91fb4b95358742f417cc129c60302a5d9011d80aba489fda517e56e17c398183aa7f2a0f9d560faf9ed70dc54a28ba216dce100c3f4f41ae76eece1dbd4a0d61
SSDEEP

12288:WnXUdQg9Jk6Jz5zqmm8pxQkO1V0YWSEi2gKguYa6A1OEjZKPU7eYPanJqlTHw:WXU1I6Jz5zqmm8c17H6ma6A1OENB7uMH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1448	3ACF.tmp

Loads dropped DLL 2 IoCs

pid	Process
2488	regsvr32.exe
2488	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\audiodev.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msorcl32.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msvcrt20.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\InstallShield\setup.exe	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msxbde40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\d3d8.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\ivfsrc.ax	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\mfc40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msrd3x40.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atidxx32.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\d3dim.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\dplaysvr.exe	3ACF.tmp
File created	C:\Windows\SysWOW64\dplayx.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\FXSXP32.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\ir41_32.ax	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdva.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\atl110.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	3ACF.tmp
File created	C:\Windows\SysWOW64\dpwsockx.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msexch40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msltus40.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igd10umd32.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\sqlunirl.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\mswdat10.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\rdvgumd32.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd32.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msrd2x40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msvbvm60.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	3ACF.tmp
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\MediaPlayer-DLMigPlugin.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\explorer.exe	3ACF.tmp
File created	C:\Windows\SysWOW64\iac25_32.ax	3ACF.tmp
File created	C:\Windows\SysWOW64\msjet40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msjtes40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msrepl40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\regedit.exe	3ACF.tmp
File created	C:\Windows\SysWOW64\ir50_32.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvd3dum.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\d3dxof.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\msjter40.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\mswstr10.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\odbcjt32.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\setupSNK.exe	3ACF.tmp
File created	C:\Windows\SysWOW64\d3dim700.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\mstext40.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\VBAME.DLL	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\atiumdag.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\atl100.dll	3ACF.tmp
File created	C:\Windows\SysWOW64\crtdll.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\FM20.DLL	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	3ACF.tmp
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	3ACF.tmp
File created	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\nvwgf2um.dll	3ACF.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMSMDB32.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tkjp.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL	3ACF.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	3ACF.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\VBE7.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	3ACF.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\EScript.api	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSAutogen.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLCTL.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7tk.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONFILTER.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST64.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SSGEN.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\WTSP61MS.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7Data0011.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RTFHTML.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MIMEDIR.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL	3ACF.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSLIST.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	3ACF.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISGRAPH.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL	3ACF.tmp
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\EPSIMP32.FLT	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXEV.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL	3ACF.tmp
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL	3ACF.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_8375605f8afb0c19\wmlaunch.exe	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95	3ACF.tmp
File created	C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.iertutil.dll.01daa15371ba6f20.000b	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1beb53526fc80c8d\iexplore.exe	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_e460d9f113bbd54e\webcheck.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_a1aca7966cf36de2\metadata.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493_netlogon.dll_90e0458e	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-international-core_31bf3856ad364e35_6.1.7601.17514_none_ebb1ce7438031941_muiunattend.exe_1e11bb40	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7601.17514_none_b296f701dc00c582\ieUnatt.exe	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6_uiribbon.dll_8a707982	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_86c0afe17064a99d\cdosys.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7601.17514_none_2af7b924bed13316\ExplorerFrame.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-n..ergrouppolicysnapin_31bf3856ad364e35_6.1.7600.16385_none_663f547de34cf7e5\nlmgp.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-msxml60_31bf3856ad364e35_6.1.7601.17514_none_f0e8ac03e1d6bb5b\msxml6.dll	3ACF.tmp
File created	C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\atiumdag.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_257ada4f467a7f64_oleaut32.dll_730e3d41	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad_cntrtextmig.dll_08675f2d	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-aspbinaries_31bf3856ad364e35_6.1.7601.17514_none_f4fefe08b2751469\browscap.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..ssionstaticbinaries_31bf3856ad364e35_6.1.7601.17514_none_c035b00b76d54e4f\compstat.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpfgfx_v0400.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.1.7601.17514_none_e54fbb95e4c3d1bb_advapi32.dll_9512793c	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi_31bf3856ad364e35_6.1.7601.17514_none_fbe11bf002f10455_shlwapi.dll_1eec0a2e	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-datacontrol_31bf3856ad364e35_8.0.7600.16385_none_950b0c1b653d65c3\tdc.ocx	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_d5b4f96cdbb9a8b1\IMJPDSVR.EXE	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnscacheugc.exe	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_11.2.9600.16428_none_84720c6fcb130608\dxtmsft.dll	3ACF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	3ACF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_X86.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf_hdwwiz.exe_b6a1c2df	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-msmq-http-files_31bf3856ad364e35_6.1.7601.17514_none_597a715e304f49ad\mqise.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-e..rformancemonitoring_31bf3856ad364e35_6.1.7600.16385_none_17d2ef5202301871\esentprf.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ieframe_31bf3856ad364e35_8.0.7601.17514_none_e7d7639870214e02\ieframe.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ieframe_31bf3856ad364e35_8.0.7601.17514_none_e7d7639870214e02\ieui.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\inetmgr.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-com-dtc-client_31bf3856ad364e35_6.1.7600.16385_none_b33c89b0075f9149\msdtcprx.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AdoNetDiag.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_76239aafb364e805_rasautou.exe_477abe34	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_0f1cfdfc48bca8a8_rtutils.dll_243724ab	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922_certenrollctrl.exe_9495aa75	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.7601.17514_none_83801b5eed6392d9_gdiplus.dll_423f7010	3ACF.tmp
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100u_x86	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-ehome-ehuihlp_31bf3856ad364e35_6.1.7601.17514_none_a485be43763dc314\ehuihlp.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\svcext.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhctrl.ocx_38c869db	3ACF.tmp
File created	C:\Windows\winsxs\Backup\wow64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.7601.17514_none_c519dbeb6e585715_winhttp.dll_6cd72d6e	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.1.7601.17514_none_e99b83c8fd064a06\uihelper.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-wmnetmgr_31bf3856ad364e35_6.1.7601.17514_none_afc0a5d809a22c4b\WMNetMgr.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-drm_31bf3856ad364e35_6.1.7601.17514_none_d6a8cb040fcd3a85\drmmgrtn.dll	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-mfds_31bf3856ad364e35_6.1.7601.17514_none_0e0909c8687d5c9c\mfds.dll	3ACF.tmp
File created	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-bcrypt-primitives-dll_31bf3856ad364e35_6.1.7600.16385_none_1207cf88785de24d_bcryptprimitives.dll_5dcb347c	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\sdbinst.exe	3ACF.tmp
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..siondynamicbinaries_31bf3856ad364e35_6.1.7601.17514_none_f08b571e7ac4826e\compdyn.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-cmi_31bf3856ad364e35_6.1.7601.17514_none_abd5b433b8ccf7a4_cmiv2.dll_be06aa9f	3ACF.tmp
File created	C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igd10umd32.dll	3ACF.tmp
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonExt.dll	3ACF.tmp
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3_ifsutil.dll_7d6905f6	3ACF.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\TypeLib\Version = "3.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess\CLSID\ = "{C523F39F-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\ = "AcrobatAccess Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ = "IGetPDDomNode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ = "IPDDomNode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{198F17AE-B921-4308-9543-288D426A5C2B}\TypeLib\Version = "3.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\ = "IPDDomWord"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00FFD6C4-1A94-44BC-AD3E-8AC18552E3E6}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E6D1CB7-4DAE-4DE4-8ED9-15672A5F942F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E6D1CB7-4DAE-4DE4-8ED9-15672A5F942F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{198F17AE-B921-4308-9543-288D426A5C2B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\TypeLib\Version = "3.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C37B1794-B61E-402B-9C7C-B073DE579AC1}\ = "IPDDomGlobalOptions"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess\ = "AcrobatAccess Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81F9B44F-BA3A-4F5D-9B51-090C74A9B3A4}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36DE898D-AD48-40A5-B4B2-123F916BFBAB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E6D1CB7-4DAE-4DE4-8ED9-15672A5F942F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A894040-247E-4AFF-BB08-3489E9905235}\ = "IPDDomNodeExt"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\ = "IPDDomGroupInfo"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}\ = "IPDDomNode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4848E37-7C66-40A6-9F66-D3A9BC8F4636}\ = "ISelectText"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E6D1CB7-4DAE-4DE4-8ED9-15672A5F942F}\TypeLib\ = "{C523F390-9C83-11D3-9094-00104BD0D535}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35ADDC4B-B470-45F9-B29C-B6845949A4FE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\VersionIndependentProgID\ = "AcroAccess.AcrobatAccess"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625}\ProxyStubClsid32	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2988 wrote to memory of 2488	2988	regsvr32.exe	28
PID 2488 wrote to memory of 1448	2488	regsvr32.exe	29
PID 2488 wrote to memory of 1448	2488	regsvr32.exe	29
PID 2488 wrote to memory of 1448	2488	regsvr32.exe	29
PID 2488 wrote to memory of 1448	2488	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cd5a4d63b02368481081d9e0a41a3070_NeikiAnalytics.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\cd5a4d63b02368481081d9e0a41a3070_NeikiAnalytics.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\3ACF.tmp
    C:\Users\Admin\AppData\Local\Temp\3ACF.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3ACF.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/2488-0-0x0000000000200000-0x0000000000247000-memory.dmp

Filesize
284KB

Download