959513cae7b4205c106ec002454e373bbc5ba212f80b18455d921362da00a053

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Size

96KB
MD5

277a5331cb7d6d1b0c9767cd6359eaa0
SHA1

c5e721621052201178892e70800f6605774bd171
SHA256

959513cae7b4205c106ec002454e373bbc5ba212f80b18455d921362da00a053
SHA512

24aada6743b0f2f83b45ad77f47ecb26d04d8063e0965eda5c7d413cca5418610b79da17e7f2898c75dcdda8e01d53e2388fd7e15674421a054dbb3503545502
SSDEEP

1536:ESdQyso1cL35z1COUJJ3xAVl02Lf97RZObZUUWaegPYA:EyQyso1051COQVxAV7FClUUWae

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe

Executes dropped EXE 12 IoCs

pid	Process
320	Nnhfee32.exe
3000	Ndbnboqb.exe
4800	Ngpjnkpf.exe
1160	Nnjbke32.exe
4604	Nqiogp32.exe
2536	Ncgkcl32.exe
552	Njacpf32.exe
1344	Nqklmpdd.exe
3556	Ngedij32.exe
760	Nnolfdcn.exe
1988	Ndidbn32.exe
4660	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2420	4660	WerFault.exe	94

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 320	4880	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe	82
PID 4880 wrote to memory of 320	4880	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe	82
PID 4880 wrote to memory of 320	4880	277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe	82
PID 320 wrote to memory of 3000	320	Nnhfee32.exe	83
PID 320 wrote to memory of 3000	320	Nnhfee32.exe	83
PID 320 wrote to memory of 3000	320	Nnhfee32.exe	83
PID 3000 wrote to memory of 4800	3000	Ndbnboqb.exe	84
PID 3000 wrote to memory of 4800	3000	Ndbnboqb.exe	84
PID 3000 wrote to memory of 4800	3000	Ndbnboqb.exe	84
PID 4800 wrote to memory of 1160	4800	Ngpjnkpf.exe	85
PID 4800 wrote to memory of 1160	4800	Ngpjnkpf.exe	85
PID 4800 wrote to memory of 1160	4800	Ngpjnkpf.exe	85
PID 1160 wrote to memory of 4604	1160	Nnjbke32.exe	86
PID 1160 wrote to memory of 4604	1160	Nnjbke32.exe	86
PID 1160 wrote to memory of 4604	1160	Nnjbke32.exe	86
PID 4604 wrote to memory of 2536	4604	Nqiogp32.exe	87
PID 4604 wrote to memory of 2536	4604	Nqiogp32.exe	87
PID 4604 wrote to memory of 2536	4604	Nqiogp32.exe	87
PID 2536 wrote to memory of 552	2536	Ncgkcl32.exe	88
PID 2536 wrote to memory of 552	2536	Ncgkcl32.exe	88
PID 2536 wrote to memory of 552	2536	Ncgkcl32.exe	88
PID 552 wrote to memory of 1344	552	Njacpf32.exe	89
PID 552 wrote to memory of 1344	552	Njacpf32.exe	89
PID 552 wrote to memory of 1344	552	Njacpf32.exe	89
PID 1344 wrote to memory of 3556	1344	Nqklmpdd.exe	90
PID 1344 wrote to memory of 3556	1344	Nqklmpdd.exe	90
PID 1344 wrote to memory of 3556	1344	Nqklmpdd.exe	90
PID 3556 wrote to memory of 760	3556	Ngedij32.exe	91
PID 3556 wrote to memory of 760	3556	Ngedij32.exe	91
PID 3556 wrote to memory of 760	3556	Ngedij32.exe	91
PID 760 wrote to memory of 1988	760	Nnolfdcn.exe	92
PID 760 wrote to memory of 1988	760	Nnolfdcn.exe	92
PID 760 wrote to memory of 1988	760	Nnolfdcn.exe	92
PID 1988 wrote to memory of 4660	1988	Ndidbn32.exe	94
PID 1988 wrote to memory of 4660	1988	Ndidbn32.exe	94
PID 1988 wrote to memory of 4660	1988	Ndidbn32.exe	94

C:\Users\Admin\AppData\Local\Temp\277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\277a5331cb7d6d1b0c9767cd6359eaa0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\Nnhfee32.exe
  C:\Windows\system32\Nnhfee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\Ndbnboqb.exe
    C:\Windows\system32\Ndbnboqb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\Ngpjnkpf.exe
      C:\Windows\system32\Ngpjnkpf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 400
        14⤵
        Program crash
        
        PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4660 -ip 4660
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
96KB

MD5
ef3f4a83965b33f988931477ce37e483

SHA1
4ae457feed44c9ec29fdc02ac717c1c85ffaad94

SHA256
9897cb74adf52c15679e2c0091895b5b6d5fc8caac923fd518c8527ae202453c

SHA512
c7f7ad70fd8b290c519e0638b77c9c6fe4f58ee5fdddd368602fa6befe5460d809c7e62ac960ffe9089c52b1eb36734db0ebfb766117ad06515e5bc74276781b

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
96KB

MD5
86bc8f0e58d1cc804fa2d103794c5666

SHA1
930ff17f8d8ab290bd192f01693501bcdf644b6c

SHA256
b98348303c05a13d11b1b7b99796a57ac81541e8318f583f026a43c0e8a3b066

SHA512
1cb5ed100b6275aec700af5ac7751b97f298279547c2d988294410fb3e0944a47f16deac0737f4464f76ad329b539a71b792fa75a2eca65e911d6aa1375809ba

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
96KB

MD5
27c73430b3b13899a1cefd6a36aa107d

SHA1
d3538803251ff675f6930e2abf8a71ce1aafbfe8

SHA256
4abf5d52601515a37e5b90f2171a4ecfaf5f00cffe04ce70f80b7fd75c2606ee

SHA512
6937ea1823ab818744dbb4b64148a9b917f6f45e09b5f3fe9e10ac87bca0413846b6afc32747d18969a3a65850737c94d12e03f2b4acf83802cd76f1ff935f95

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
96KB

MD5
2bb7a840a37eebaf9ec7810637075d2e

SHA1
5d09f0dd0c927e1c421c0453a896c7884b3f7d1d

SHA256
3fe8fb484f4552efb626fa396e1d48a13b826a54ec4cb9537c37eb31562bbf45

SHA512
203f36c4ea3dccc85ded6cf3395bd42123000bd18c78bbcf154f9e7564d2ffa812ac9b2f20215a9579e011aef182277fc2bbb6cc039ddbf9ff4556fbccd43bc6

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
96KB

MD5
5da9b5a65990e851d158ac48610fb891

SHA1
df1bd5d4f1729d1c094a012c71ee186415330f21

SHA256
e5ee30d4543eb0cfd6e977d8bf71ce71824cee931a0d06682ec02881078db65e

SHA512
a5bd5a62656074f13c7633d4b765f398fb496963e1cbbe7554ca1ce58cf7da8a56995f0a04614e000f8bd2983ccac42f17beb00095e19212b3a9176078ee1b18

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
96KB

MD5
428732fa81633089e3b093979044a193

SHA1
627010dc32c9541858725e80979cb9173a3392fe

SHA256
3a50e06883a3adc26d0473ba22a3faa733be1717af1fc4a6a270c6288e518d62

SHA512
850b5deae35ccc89220838865bca07395f7bb6ddaf206296aad8986c1aa82ef6334472d7d4337ec771d6fb1cacc4cb405a14588eb4ef49b22d6d8987e9f67a04

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
7b7fac87f5f981af151db84a8543240c

SHA1
61c81a4aa362a50ea61cf68e18a08eb8372c34c6

SHA256
09d5e829f7f184cc18a2d6aa7e649077a19c904e109ce7a257f7150a9eec9cfd

SHA512
b30f36f0ade00ba26e220ce10b0e34b9e1e9fb312cff17f483105ac38293f007895894cdd3e04b257b07262edd601647f6f56794541c0debe77f90400e15a7be

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
96KB

MD5
710231973623ba5d7738f32752e7891c

SHA1
7908ab16b03dab8dc77fca24246ea4b05024bf5f

SHA256
4fc8a3081af958d5a0ef2126d4dc809e2c26230e662b1ea220cab1405ca82959

SHA512
51287665d446d05e0ba69e48f0eb3944c609a8eb5486172e8351f790cc96b541c8cf5efa516c8e100289bd5a75c1f169b4bf80c2ea75c28dd00465680149691e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
96KB

MD5
e2d8ecb5a456bdec49ae6a51a225ff3d

SHA1
fa438e78d5ee22810a917de01f31071c22ddb57f

SHA256
8ff242ad0b0a7da05f7d10e24ed78b18aeb46f5413403ead68fce25331234e63

SHA512
9bab934f441c172657defaab8887a1cb1dedfbc51afd6400acc172df3f953a518fd922420340b150c6e1d3d59639955180dd31f0ac574b4c91242b3ded41402f

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
96KB

MD5
1b1f3c4d269e30dd06a9b430e6551fb8

SHA1
f56a3f5d03bb741278410adbc159053d12213a62

SHA256
2204d8abb631347c243fb8ced1afd191ddd6994cc51f5983114de130e347b65f

SHA512
a81b8a2d7183e6a4d9bceb0fdbf2723d0d6922e971f3d6dbda490ab6fb41eae81a6b93b4a4baaa42f9b9bc452e66c1fbc349f4c54be107d667f6da8c5bc2150d

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
96KB

MD5
b983f8004aaf3c28c187b571b79a97ee

SHA1
12d6be86a5a8c9045902945f7dde6344bd279a06

SHA256
80e2a5dac060512f23b3464fbf5e70778533bee155df0461c2eceb73cc10743c

SHA512
444fcef31be77a4c9c503de8a0c9c12410a446bdad4f615d6241a74cb9854d5469a611f5145889bd54b3d63933295ca1ec5968e7074ad18a96c52906a6842878

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
96KB

MD5
177d88786bdfcd73fce95123e5fd1136

SHA1
29e460453a628238a5aa7502a21d65f39f54c0fd

SHA256
d399be9abc6e71811798870d4ae34acbbc3e42f56e5723c3809de6bef5a352c3

SHA512
15bcdd19a73abb0b12e6df01b80c081a34ed747d53c73d56ccd600f45a7f0fd1d93ffacb1c4c706b14e69c2bec6015da7879e9f68dbd23c092491b3d55810272

Download Submit
memory/320-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/320-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads