4bc109a57e473a1af4a02185ca4c7609c170d61c6d36241e6016bc9331018662

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Size

55KB
MD5

91dc1d25088a45b38eae9ab6a9ef4cd0
SHA1

052823ff61daba583334f15fd344c0ac0f1db94f
SHA256

4bc109a57e473a1af4a02185ca4c7609c170d61c6d36241e6016bc9331018662
SHA512

19cfa002674c2bfa7eaa1b8290567aa38619472cad4a69ea63b93421be856dd2541693eb7b3450dcad685260177107e64a8ecf6ea0c98c787c0925b44d62a10f
SSDEEP

768:kIMZ0Dx8m+nsYIimv6/9KA7voruPNwUDsFa3TBNEiHSAF0epMCJoj42p/1H54Xdh:NMCtsw6gAluUJ3UPAnz+U2LM

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe

Executes dropped EXE 15 IoCs

pid	Process
2940	Maaepd32.exe
4904	Mgnnhk32.exe
4072	Njljefql.exe
4440	Nqfbaq32.exe
2964	Ndbnboqb.exe
1368	Nklfoi32.exe
2188	Nafokcol.exe
2040	Ngcgcjnc.exe
3104	Njacpf32.exe
1396	Nqklmpdd.exe
5044	Ngedij32.exe
1432	Njcpee32.exe
1676	Nbkhfc32.exe
2660	Ncldnkae.exe
4472	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3548	4472	WerFault.exe	94

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 2940	4816	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe	80
PID 4816 wrote to memory of 2940	4816	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe	80
PID 4816 wrote to memory of 2940	4816	91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe	80
PID 2940 wrote to memory of 4904	2940	Maaepd32.exe	81
PID 2940 wrote to memory of 4904	2940	Maaepd32.exe	81
PID 2940 wrote to memory of 4904	2940	Maaepd32.exe	81
PID 4904 wrote to memory of 4072	4904	Mgnnhk32.exe	82
PID 4904 wrote to memory of 4072	4904	Mgnnhk32.exe	82
PID 4904 wrote to memory of 4072	4904	Mgnnhk32.exe	82
PID 4072 wrote to memory of 4440	4072	Njljefql.exe	83
PID 4072 wrote to memory of 4440	4072	Njljefql.exe	83
PID 4072 wrote to memory of 4440	4072	Njljefql.exe	83
PID 4440 wrote to memory of 2964	4440	Nqfbaq32.exe	84
PID 4440 wrote to memory of 2964	4440	Nqfbaq32.exe	84
PID 4440 wrote to memory of 2964	4440	Nqfbaq32.exe	84
PID 2964 wrote to memory of 1368	2964	Ndbnboqb.exe	85
PID 2964 wrote to memory of 1368	2964	Ndbnboqb.exe	85
PID 2964 wrote to memory of 1368	2964	Ndbnboqb.exe	85
PID 1368 wrote to memory of 2188	1368	Nklfoi32.exe	86
PID 1368 wrote to memory of 2188	1368	Nklfoi32.exe	86
PID 1368 wrote to memory of 2188	1368	Nklfoi32.exe	86
PID 2188 wrote to memory of 2040	2188	Nafokcol.exe	87
PID 2188 wrote to memory of 2040	2188	Nafokcol.exe	87
PID 2188 wrote to memory of 2040	2188	Nafokcol.exe	87
PID 2040 wrote to memory of 3104	2040	Ngcgcjnc.exe	88
PID 2040 wrote to memory of 3104	2040	Ngcgcjnc.exe	88
PID 2040 wrote to memory of 3104	2040	Ngcgcjnc.exe	88
PID 3104 wrote to memory of 1396	3104	Njacpf32.exe	89
PID 3104 wrote to memory of 1396	3104	Njacpf32.exe	89
PID 3104 wrote to memory of 1396	3104	Njacpf32.exe	89
PID 1396 wrote to memory of 5044	1396	Nqklmpdd.exe	90
PID 1396 wrote to memory of 5044	1396	Nqklmpdd.exe	90
PID 1396 wrote to memory of 5044	1396	Nqklmpdd.exe	90
PID 5044 wrote to memory of 1432	5044	Ngedij32.exe	91
PID 5044 wrote to memory of 1432	5044	Ngedij32.exe	91
PID 5044 wrote to memory of 1432	5044	Ngedij32.exe	91
PID 1432 wrote to memory of 1676	1432	Njcpee32.exe	92
PID 1432 wrote to memory of 1676	1432	Njcpee32.exe	92
PID 1432 wrote to memory of 1676	1432	Njcpee32.exe	92
PID 1676 wrote to memory of 2660	1676	Nbkhfc32.exe	93
PID 1676 wrote to memory of 2660	1676	Nbkhfc32.exe	93
PID 1676 wrote to memory of 2660	1676	Nbkhfc32.exe	93
PID 2660 wrote to memory of 4472	2660	Ncldnkae.exe	94
PID 2660 wrote to memory of 4472	2660	Ncldnkae.exe	94
PID 2660 wrote to memory of 4472	2660	Ncldnkae.exe	94

C:\Users\Admin\AppData\Local\Temp\91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\91dc1d25088a45b38eae9ab6a9ef4cd0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\Maaepd32.exe
  C:\Windows\system32\Maaepd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\Mgnnhk32.exe
    C:\Windows\system32\Mgnnhk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\Njljefql.exe
      C:\Windows\system32\Njljefql.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
      - C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 224
        17⤵
        Program crash
        
        PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
55KB

MD5
45f90fd4f765ce32e7eb0a32e84bf020

SHA1
bf760ae5fdf21b7ccb149e827dee4f27a7b91081

SHA256
d621da9c3ac6cd161aea974b22c468e4ff55dbbde92c62d6016bc6dacfbca3aa

SHA512
b0ea385d01427ded0c444a6346c78c5b69683f9089e54d4fec296488abdc438185c5fbcc8935ccabba8f167094fcdf636af78af067359e630d3343cf46733cbe

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
55KB

MD5
dd00087dbe0886609bcd74923f6cef76

SHA1
633208377996793804219f1ed61ae72abfecdae5

SHA256
2ba054897da687f0a9556a79f841edd6dac36ee6b4be0a9a5726c90a1fbaa0a5

SHA512
123a213aeefe476ab76e1726af76e8827c0e3bed42c823706ea1cf511b68f8e3ac1e3ca51d21ca207929125c3579384aede094b049ffa2a741ff21986ed97ad9

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
55KB

MD5
359d8ec4799f3f853d6da02a2c12d6fb

SHA1
fdc132baaed8358694d1f753872d576d5a1873ef

SHA256
df35f92d1fb22016fc00eedcc671f8c9b3bcf4a64ac7a323f04c1300eed4ce33

SHA512
b5e9088956fad807089854b60e8ce9fdc5222681e2169b0e3c810b221a7f77473e412504d0e54730732f983cd1418b47a233f781f80c7c805fec113ad3e76564

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
55KB

MD5
f5514185209cb56a987046172a6878d5

SHA1
54b0fb1a6139b5adf81b92f4aec2c257b5281c8e

SHA256
0bcdee3ac6d746f49bb51dc278e602a3c38a751b6103b4d2d4d1ee9ff8d32549

SHA512
10c11a5f88c8c926b2fde4e4f8d082b9703b76ccfabf23145ae76360e198078662d5f9d59fac87690672b466b79edd546981256885f731877ec63c6b848f91a4

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
55KB

MD5
2747ae93a7213f79bffa9e8f4a24a038

SHA1
1c67de85e3abc31934ac2a88cfb69644cf0009ae

SHA256
016ba8d72249536be482a9a15f1f721005c0e7ea028b3122eba6415d58edf59d

SHA512
dcea4df582a72f1758e7224de946df414ad91d82edbc0a9998cbc4bc5bd85d21612dc596f5611fc2f8aec0d7cd5c77e21cd00edce6b2bf4272ead4fb3466b0f4

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
55KB

MD5
1862865689c4633e31ad83785aa2b8be

SHA1
371bc11d52090d7fe70e0af9aef9f612e2e38850

SHA256
a2f585c71a640e88597da1c83e0c00f06176ae572292d04ad3fe5f0bb1b3b521

SHA512
6229a88018576871ac0f79f6bc8670431d644b283c745a373c0dd133d0819448acb9a2005fd8b50e948a1f0a0c58eed3ae37a1631db3ca55f2025df6106219ad

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
55KB

MD5
c83f18185a1b9ab7f3833712390956fc

SHA1
6be20e140683f368ef584bf672a43592d56512e6

SHA256
2d24da46830b93809a388912f4bdaf60abe37dd8b06633000633388cca6aec1c

SHA512
b9b9fb3bfe5096f1db16b250ad3765546d08845b9f64f2b11a32c0a47cc3f33e0275272d13e56d1ea0c991b1d8d4f86a74d6f29ec92a764f26e1231d85ce1114

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
55KB

MD5
29fdfefa77b0d033899d1545ee5031b6

SHA1
a5114a4dba9544f5b6696ceff23f58921abe4398

SHA256
f5ff406b54741082f18964ddc6ebfb73b3ed2dc2a9c35f247b83bcc4b09b0be7

SHA512
64ae5c0d458c9b1eaee1d6ed06c824db778caa41e6abc7d96e6b917ca857a952a73ffa55a66e97c2923304c475608cba72b05cbca25788603e6d2ba058521462

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
55KB

MD5
fc7f5655a0058b565ca01104ae39018b

SHA1
08f6112284bb9d9b156ce06ca1d26a985530da81

SHA256
ab1b8105519234c9fafab3a828dd7451291c4ff1ff7a0b9a43663cb3b0f1b15f

SHA512
bc4999d7a9fc88144749a67ce114508bb78c506cb3a19ed8d71fd46b4380a138b60f996e149c1210ec4a980d8b1dd0a42fe36ae907e1723ec4d6fe21a80ab600

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
55KB

MD5
0ccb1a2621796070b21ca3ff66aad878

SHA1
3df86c650971d6d9fe296f90b3c7bb0c64a172da

SHA256
c3210181346c7b8a258276bd6843066f217eeb6934233e88cad81d41d266d834

SHA512
7fcbd1709f7fbc321ed1b5d986b3d0440615a742a62353e7fe064c5e023e367627db4f44fe0e00c2f795d029db87f65554ccd730069bde137f785501d83bc024

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
55KB

MD5
675bacf65d14cf643b702830dc61ed84

SHA1
c66736f0b91e4cf64fb05e7c002e0b7d6d01ce5e

SHA256
d9a01963ec64c8b1523eb5f62cbc7a771b091ff6bcf3da3759a982276f1ce63e

SHA512
7488f1b47a7683756e93edc710a28365e21f2cb85b12b3a0cc8152cbfc05e13ec48e6e4f08e72763e6b3db1aedd8a0ab7d99aa5ef85d73b7eac632d970c43687

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
e767c4b7f4d70def1125cd74fa082f48

SHA1
bf26ebb7801a4be63b8c5cda32ed221d346a05a2

SHA256
dc29d926291a95c519270a814a7e1313d32b20889a6e4de0945e144334c99481

SHA512
ae18128c4018184abdd6ed4019037dfb82f482cc761ff0a8d872ed7d6223a64d7fc115ce02cc95ec758ce0628f6549eaa1776d28518f60853d22f90f291ce135

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
55KB

MD5
04c30de934df18ba14c59689bf50eeca

SHA1
8b25fd30dfe95428f923341f24122254c69efead

SHA256
54622795a6140099d0b45250da649b0f7666f0fa77c8b7331591ec4ca8edd2f7

SHA512
2b6b54c2d0b54c3a9090e6d3f29e9602888b9fa770fdd34cbc5abc3464f03b4750bed0a8acc32e5d2951075c29dae80a5c69750b5c2fcd7a614ed6997c7231cf

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
0f77ecb637de7f7fb9aeeb1edbecb4e3

SHA1
15b82f5048a56cda1caf5ba867b77d0d4ad6eccd

SHA256
05846669e285a54f10ec47f1b84c4de5ba7a95584dfa1023cc87acd37b4bff3b

SHA512
6685b115736135fa89e3b7d5a8b85965727afe4cc4d1ef2e33fd8766ecf2955c3ba0a28347fb0a3a17e8b7ccbe3587cfbe7c2d8536edf9a5fa42498b11ab8a65

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
55KB

MD5
c0bcd1791c89a7bd71a2e8a94ede32d7

SHA1
0957c66204f0eb735803134c754b1f2e5bd65595

SHA256
2404123de88c7e680fd3f63323863d487e5632f0a2bd5b15a15fca7054d25dba

SHA512
4bad2c651b22e92d2cbd07d7ecd4ff9f3f0a571339441b909fed797c0eb7d78b3f6afd536816f54693292bd9562a7db6d09d33f881f8779ad57166428e92d5b9

Download Submit
memory/1368-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4904-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads