3bf5c42c8ca78dd3b43bee2656b4d14d1823ceafbc7ba134f252e349cd5bb6c8

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 14:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe
Size

1.5MB
MD5

a4481497d6fee5a968ef11e14f934590
SHA1

2d847072815398da47bb2eba38eb88efda6e0e6c
SHA256

3bf5c42c8ca78dd3b43bee2656b4d14d1823ceafbc7ba134f252e349cd5bb6c8
SHA512

c748c4bd0c2b5804ad95d375be9a3e93859db5819a091b25bb244a12c57f71df11be5c149f7298d3eea3076cc519929f4c6fa6d92f3d3d87b3b7737a1b6f332d
SSDEEP

24576:IqbSoBdjUvOKhS8RyqqlqtELLWasCDdVauqjaZsrxHdoHlsgtzjeD19zc9P3nqH:TbjBdj9Khv5tlrCTa0ZsxHaHjtzjNnqH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	md8rntm.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe
2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe
2664	md8rntm.exe
2664	md8rntm.exe
2664	md8rntm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DirectDrawEmul.1	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD1-BCF3-11D1-B76F-58BB04C10000}\Programmable	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\TypeLib\ = "{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul\CurVer\ = "DXemul.DDClipperEmul.1"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\FLAGS\ = "0"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DDSurfaceEmul.1\ = "DDSurfaceEmul"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\ProgID	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\ProxyStubClsid32	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\VersionIndependentProgID	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\Programmable	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\Programmable	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZipNrun.tmp\\"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\TypeLib\ = "{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\TypeLib	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\TypeLib\ = "{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DirectDrawEmul\CurVer	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DDSurfaceEmul.1\CLSID\ = "{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DDSurfaceEmul	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\ProgID	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\InprocServer32	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\ = "DDSurfaceEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\ = "DXemul 1.0 Type Library"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\TypeLib\ = "{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DDSurfaceEmul.1	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}\VersionIndependentProgID\ = "Medi8or.DDSurfaceEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul.1\CLSID\ = "{FACF11A2-5095-11D3-A9DE-00C0268E5C48}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\0\win32	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DirectDrawEmul\CurVer\ = "Medi8or.DirectDrawEmul.1"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DDSurfaceEmul\CurVer	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\ = "IDDClipperEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\InprocServer32\ThreadingModel = "Apartment"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\ = "IDirectDrawEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul\CLSID\ = "{FACF11A2-5095-11D3-A9DE-00C0268E5C48}"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\VersionIndependentProgID\ = "DXemul.DDClipperEmul"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\InprocServer32	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\HELPDIR	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\TypeLib\Version = "1.0"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD1-BCF3-11D1-B76F-58BB04C10000}\ = "DirectDrawEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD1-BCF3-11D1-B76F-58BB04C10000}\VersionIndependentProgID\ = "Medi8or.DirectDrawEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86FC1FD1-BCF3-11D1-B76F-58BB04C10000}\InprocServer32\ThreadingModel = "Apartment"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul.1\CLSID	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul\ = "DDClipperEmul Class"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FACF11A1-5095-11D3-A9DE-00C0268E5C48}\ = "IDDClipperEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD2-BCF3-11D1-B76F-58BB04C10000}\TypeLib	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\TypeLib	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZipNrun.tmp\\mDxEmul.mom"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\ProxyStubClsid32	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FC1FD0-BCF3-11D1-B76F-58BB04C10000}\TypeLib	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Medi8or.DirectDrawEmul.1\ = "DirectDrawEmul"	md8rntm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DXemul.DDClipperEmul.1\ = "DDClipperEmul Class"	md8rntm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}\VersionIndependentProgID	md8rntm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2664	2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2664	2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2664	2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2664	2020	a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a4481497d6fee5a968ef11e14f934590_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\md8rntm.exe
  C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\md8rntm.exe /nobb "C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\Gleichungssysteme E3.1.md8"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\Computer_klein_li2.gif

Filesize
8KB

MD5
534a797b3c7015fb2dbdee19db2add92

SHA1
775c33503d231cdd10de90512e778b2fdd2bbc2e

SHA256
4ed70f9f390780dd488d52985a8bc75b476475f80fc8f34dc2822d925ff27cd8

SHA512
fc7395491a5734695d0265fe37b078b6156b6cb51919753496214060bc00df582e83ad266231c656c8dcaba5c1a3ee93365412b6e037d38388b94382fbc06960

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\Computer_klein_re2.gif

Filesize
8KB

MD5
56a82a7b8fea36f675e4ca3a1e1fddea

SHA1
a015e6f493eb3a5fc0ed4899ec51a935e81da0fd

SHA256
a46aa01cffe7ebcf1fcb1f98b910c3491881fa9fef69d133a028743333f3ca4a

SHA512
2afc64390930f819d65d13adb6bdb0fdba3574bf9ece9237f30537d9040853268df8f6fc1b0aa62b86ee5427deb05fe6edf7a618e7f4a98fffa25fa296cf996b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\Gleichungssysteme E3.1.md8

Filesize
42KB

MD5
b18a384055aa240f44708e6935a0d7d1

SHA1
091f353839cbfe7fc8ef8404f94ce4b40907e7f0

SHA256
2ce2624400a0bc8e223694c8bbaf5f373a9595c7888d3ae85eca2b4c2c9a8b98

SHA512
a703440473c6ab6e0eee2f9e6410edb2cfc33bec9e620e31924cfa23a982053d90639209e445312ee729b59942d20e63fc876b136092c8ad3ade7ba361a68be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\Rmd8P2.MOM

Filesize
1.1MB

MD5
b3ad9942e9acc164f100c869f2b81e7e

SHA1
1c319f5b4e8ccaad0eb0f4ab02b78af9c60eb8ea

SHA256
9279440ff2477c4612f11e512ff17f86fa5febb208658d68b91d10376cc98a2b

SHA512
c729b965c93281f195a02d319cc18066c9d949daf1ad4754423d4f851e7c67bb38071f31501f6459dcb7bd763b5e97695ebaecdcf3cf1f968bbe79f38b463f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\lig-gruen1.png

Filesize
9KB

MD5
bb523d17f902a6b7e6812f826a78d88f

SHA1
80e20446b34383575d3e60d39958bf6d1b109674

SHA256
710cf38115785c1b73d0b056ca8457f962d8be9e66a1128092375aa1562f53d3

SHA512
fa8c9f8895e71418a621141822ec7d9572d476354e2fbe920d2b087166a75e0c8c9b8b820e5b1480ef4960cc56e65ec9f502b866737b5b28ab280fb73bde03b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\mDxEmul.mom

Filesize
124KB

MD5
25cf67f5dc68661d8f375412ea267f22

SHA1
9424a44f47ef4b9e470d215dfc2f8de4e66df88a

SHA256
22acc4abcf9cdbc3824e0797a6ec209a541236426adb656416bdee4a90f5b5cc

SHA512
ac6abc2ec96b9065b6ea61d961f3105152557325694d193387a7dc9bf9f010e29bf31ecde89f6d510164ca04d9bfcc7101813963e926b59c9e543da1fd11711c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\plaster31.jpg

Filesize
7KB

MD5
f960c4c231296dc0755ceadaeac48ee5

SHA1
0d086ae122e89e16032e3995664eec7c29f98974

SHA256
fd72666852cb75d266a29c7013d66f00a99631428b86c4b9d0aee4c0a79f0d36

SHA512
a0c7a65f2e9534dacb9f5e35b30b36908762645d75e82f2f4021814701610c1b53119b335e158de887440b72b8d855492d5d10ae9c6c7633370776361eaf7f07

Download Submit
\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\MD8RNTM.EXE

Filesize
1.6MB

MD5
9fdc7d653b729e1f4bb0855524e4170a

SHA1
ce19e9220f138a573ef2852a0234de5716d61ce4

SHA256
297b3ca9f560adc8f9ffc58ddb5e90bd7f50d3fd228afc828ea2516c2ab81793

SHA512
569bcd2aec15df395c13f827042374f972511df1f859adbe9bbf88ee0d5e0f2662aa03d6f6bbeba6c293dff8e12b014964ca6d79721457b04fd49162cb1abbb7

Download Submit
\Users\Admin\AppData\Local\Temp\ZipNrun.tmp\RAniGif.MOM

Filesize
284KB

MD5
b7b8012547e15f6b229e905f31c1da10

SHA1
dee9c47cb560c83dc9d4bbc909ea9f5a3a857002

SHA256
a3323f1cb056da7b9327d7bbc0bd34ca4bba9d67029da0f979eae62b3febd773

SHA512
72371d518506b5244f245b33ee70036a12f8a1e6de02bb49d9c1294960b90b2b395640ca2931b2a112a2599af8de1b24b9b97de141e49082f65d6703f37bc828

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads