Malware Analysis Report

2025-01-22 12:33

Sample ID 240517-22lk6sfh54
Target 4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe
SHA256 9651d7db8956d136f829b9511d32f6a0ac6b195c62a6ed9647bdd38c2d6c2ea8
Tags
aspackv2 persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9651d7db8956d136f829b9511d32f6a0ac6b195c62a6ed9647bdd38c2d6c2ea8

Threat Level: Shows suspicious behavior

The file 4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 persistence

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 23:04

Reported

2024-05-17 23:07

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QRRLEC.EXE = "C:\\PerfLogs\\services.exe" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\QQJS.EXE C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\svchost.exe C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\QQJS.EXE" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\QQJS.EXE %1" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\QPBYIW.EXE %1" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\XBEI.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Users\\JEGIKZ.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Program Files (x86)\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Program Files (x86)\svchost.exe
PID 2204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Program Files (x86)\svchost.exe
PID 2204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Program Files (x86)\svchost.exe
PID 2204 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe C:\Program Files (x86)\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Program Files (x86)\svchost.exe

"C:\Program Files (x86)\svchost.exe"

Network

N/A

Files

memory/2204-0-0x0000000000270000-0x0000000000271000-memory.dmp

C:\PerfLogs\XBEI.EXE

MD5 b48ff7e8dc51217b830c68b0465210d5
SHA1 ea9cd8d35f730ba425c38e4b2c46786d30d6a59d
SHA256 e1e5c4111e1014518b5f126728a4370e47d2563cbb755955790d34083d956b81
SHA512 16aafa6cb7863dfb30ab5cb7d908a5872ede26ab502fac9a09e6e625cec0c293f4805a55bb4d8ac9c30ebd9e30423bc11495ded47bf111a4d4c12db9f847a89d

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

\Program Files (x86)\svchost.exe

MD5 bc0103990bbaaceae05a0e6c637e54ef
SHA1 22fe86ba0c2c1f22b0554b55c4d28bea536f6ea4
SHA256 dcb5707fd61af1e1f1edb4ba5273e66873ef024d1ee09c5f89fc4ddae9b8553d
SHA512 97456426954c7ca94d09012197acee0c5d90377f53a7ccd4e3e5240f3008b97579c13b7ca600a13143d0cb16f57d164d3a7f6a19afc7d22681558da49d4d93d0

memory/2580-29-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2580-30-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 23:04

Reported

2024-05-17 23:07

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCMBCG.EXE = "C:\\Users\\unsecapp.exe" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\LYL.EXE C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE %1" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\LYL.EXE" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE %1" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\PerfLogs\\LYL.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4cd367fb9fc9bca7432710c004a72e00_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Users\explorer.exe

C:\Users\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3720-0-0x0000000002310000-0x0000000002311000-memory.dmp

C:\PerfLogs\LYL.EXE

MD5 fd61aa1c3f37a11d8be86f433d1dd342
SHA1 3ea7dcd94ce1bb2808545902178b9a392e94a36c
SHA256 53cf38a73315429cb71392db24de360a51ef914cf13dbefe9ebcd93590f4d85e
SHA512 69f2aaff02348ca26bc26e71bc19757fc1868cdc600a3eb6289b5a5c6cfeadb9301fb5007652987af5f0b238bae14338ee634115a55ad36cae24263913cff3b0

C:\filedebug

MD5 06338706d027037107d12e50050318f8
SHA1 8c830ece2974b77116eb2987ccd0fc7f5cda8628
SHA256 a0cd64ca10c28df358f71d8ddb1fe3f50c702e2195ecd006fa825fa294160d1e
SHA512 d3748f4eda8297470dc45a2aa0d5150cffeec616b8680bfa07e97eca0e07fc17a919051d40a8251910f3bc7fa065843116a0095773cfb8cfb6553134f078c515

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Users\explorer.exe

MD5 9403747d3b7780e92807f94b9a9ad159
SHA1 27406c57f0aebb9204e8cbe94467bbb4b67a0a34
SHA256 d91a869ad75de735fbf4f4381e63972cc97a9d4e744c234b48402903a355e5b3
SHA512 ad21dcbb0a3e27509e31db858ffa25eb18172bbd35895e2f62b7f7b93d965aefbe654136d171cfb9daafb5a16ddac7727e5179f77848245a2793e1109e3b0f57

memory/388-25-0x0000000000750000-0x0000000000751000-memory.dmp

memory/388-26-0x0000000000750000-0x0000000000751000-memory.dmp