0d7f88f66b99caacadf6d9ac75f8a3f25e6d511ec52e99b15aff3974f59d0a0a

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Size

363KB
MD5

17a0491b9a32ef04911b9cf97ff4e240
SHA1

c3c4666d0ca201cfccefcddea7e9fc51dbb15c7c
SHA256

0d7f88f66b99caacadf6d9ac75f8a3f25e6d511ec52e99b15aff3974f59d0a0a
SHA512

a8050d65354c004bd126f9a5626e7eca8f607a8bda0585ae9b11234253871e5812a5e83eec3727883859909a030eb49d675dd11f4683d1c9f88d47b222052906
SSDEEP

6144:0AUNbo39k5tTDUZNSN58VU5tT0dzL4n5tTDUZNSN58VU5tT:ubN5t6NSN6G5tsLc5t6NSN6G5t

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe

Executes dropped EXE 11 IoCs

pid	Process
2200	Mdkhapfj.exe
4252	Mgidml32.exe
4004	Mglack32.exe
3552	Mnfipekh.exe
1160	Mdpalp32.exe
4020	Nqfbaq32.exe
1844	Njogjfoj.exe
2104	Nqiogp32.exe
2664	Ngcgcjnc.exe
1664	Nbkhfc32.exe
2504	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mglack32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Mdpalp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3172	2504	WerFault.exe	94

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2200	3032	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe	84
PID 3032 wrote to memory of 2200	3032	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe	84
PID 3032 wrote to memory of 2200	3032	17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe	84
PID 2200 wrote to memory of 4252	2200	Mdkhapfj.exe	85
PID 2200 wrote to memory of 4252	2200	Mdkhapfj.exe	85
PID 2200 wrote to memory of 4252	2200	Mdkhapfj.exe	85
PID 4252 wrote to memory of 4004	4252	Mgidml32.exe	86
PID 4252 wrote to memory of 4004	4252	Mgidml32.exe	86
PID 4252 wrote to memory of 4004	4252	Mgidml32.exe	86
PID 4004 wrote to memory of 3552	4004	Mglack32.exe	87
PID 4004 wrote to memory of 3552	4004	Mglack32.exe	87
PID 4004 wrote to memory of 3552	4004	Mglack32.exe	87
PID 3552 wrote to memory of 1160	3552	Mnfipekh.exe	88
PID 3552 wrote to memory of 1160	3552	Mnfipekh.exe	88
PID 3552 wrote to memory of 1160	3552	Mnfipekh.exe	88
PID 1160 wrote to memory of 4020	1160	Mdpalp32.exe	89
PID 1160 wrote to memory of 4020	1160	Mdpalp32.exe	89
PID 1160 wrote to memory of 4020	1160	Mdpalp32.exe	89
PID 4020 wrote to memory of 1844	4020	Nqfbaq32.exe	90
PID 4020 wrote to memory of 1844	4020	Nqfbaq32.exe	90
PID 4020 wrote to memory of 1844	4020	Nqfbaq32.exe	90
PID 1844 wrote to memory of 2104	1844	Njogjfoj.exe	91
PID 1844 wrote to memory of 2104	1844	Njogjfoj.exe	91
PID 1844 wrote to memory of 2104	1844	Njogjfoj.exe	91
PID 2104 wrote to memory of 2664	2104	Nqiogp32.exe	92
PID 2104 wrote to memory of 2664	2104	Nqiogp32.exe	92
PID 2104 wrote to memory of 2664	2104	Nqiogp32.exe	92
PID 2664 wrote to memory of 1664	2664	Ngcgcjnc.exe	93
PID 2664 wrote to memory of 1664	2664	Ngcgcjnc.exe	93
PID 2664 wrote to memory of 1664	2664	Ngcgcjnc.exe	93
PID 1664 wrote to memory of 2504	1664	Nbkhfc32.exe	94
PID 1664 wrote to memory of 2504	1664	Nbkhfc32.exe	94
PID 1664 wrote to memory of 2504	1664	Nbkhfc32.exe	94

C:\Users\Admin\AppData\Local\Temp\17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\17a0491b9a32ef04911b9cf97ff4e240_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Mdkhapfj.exe
  C:\Windows\system32\Mdkhapfj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Mgidml32.exe
    C:\Windows\system32\Mgidml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\Mglack32.exe
      C:\Windows\system32\Mglack32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4004
    - - C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        12⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 400
        13⤵
        Program crash
        
        PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2504 -ip 2504
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
363KB

MD5
ae9af961a7323e55ef13270fd8be1aa4

SHA1
e6d17355cac1675c913484927657b001d7f247c3

SHA256
9791d163fc713ef0b90dc0e978b82d8bd33ebe14d5f0206b530cfe0129700399

SHA512
66ba3587e885fdd6bc3b43bf5976dafc0d10d80b5e434d23e3414f3b28d7230f0103ba60f26e2f3625b84a35d6b8d09780ddcf2fd3c52496437a4a5cc83ffcd8

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
363KB

MD5
99175384f43b76e1e0ce2997503fb54b

SHA1
11b369854148c1310c3562558f3a6724bd31be87

SHA256
717167f53fade427a7f6f5d54d4905ce43f5d896b6e964b59fc2e0c307e570ed

SHA512
9ff1dbb75f7cd739616a03069ad190378f6907d9a21d995101ffc3487da4f8bb7e78b073bca598f44c6033f0bc2c99197392d70ab6424539aad2013ecbf0fa69

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
363KB

MD5
b0bb96fe00e97794b07ecbee3764404c

SHA1
f90365b86f69043e64c7d47706dacfb3b493b501

SHA256
a22ce95639f2f4484d7728a97aa21da67113d40584b1f8a58cb43fcd0e4a5503

SHA512
7a4229886cd8e6663b2f12da766cefa858f94d56b97368272d00d80cfe59a9c6138eb65ea6fde911e835544aa0deeaae5b14b14caa41c6aef594344bfd5c4c19

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
363KB

MD5
4bb69f077fc4dec7f2750abc38301d69

SHA1
a4684a1751fa3f59ef267a6a255896d7438624c9

SHA256
b6083115fa34415c4b09f128f8d4cc6bc85241ca3e0b55814cd2738e3894af8f

SHA512
f2a9fed1a22e40e16ae768b74f17d8329fc6f6e7ad9200c3f49b9ed3ace1d11ce156251ed91bddf645c63ef1b46ba5eaa3c5488edf57c4ddc35d9af7c3aa4afc

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
363KB

MD5
d146f8b714201a2c1934f9c9750e50bf

SHA1
77caa0ecfdf23531aa457024d3f418b0fd92c8a4

SHA256
a9b8fb842b44fd6da7f8ee7caa4697edf4ec327bf03de895d3a81f8445d86d60

SHA512
5d70de924d82f488b6fc90b096a2856825c5fc6fd7a1d9f91bebb4cc75fc0ef3bdcab4031084b5c03f5101659573e5f05a971c2627c9cb6807828ff0a80eb0e5

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
363KB

MD5
c3d6064083f68d1ec900b2589b8a1c3d

SHA1
4da4edb2d197adcae022efefbd9e215ab73a983f

SHA256
ae93dc36d8592bf9442d59cd8f8bf46fe95f29ee022826a14d67a86520d1aee9

SHA512
2ed5272c9edb980f9c25ccb05b2182c3f17b685f6f0a78fdc0af7819ba0b78043535248082380190cb14d8aa381755ffdeed0e68f3debba464b176d176e74718

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
363KB

MD5
04d229a24363a4b79827c4a0aa9c8f8d

SHA1
6474bb282050c42263f9e24170bb4503e3323974

SHA256
c22fb0cc5f6e1378028de3e02579591f0fa9ca0f4e8f3be9aee4353f4efcde09

SHA512
00c56de3a119c604bf0ff492f49dea26246216f9318e2fc43765887746799c9ff90d889df6fe55af2d85f14b81c81db6122b57c55d9a75a62c8a34e0606003fc

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
363KB

MD5
48593170bf30bacefe2564f4cca27d21

SHA1
45f579dc6bb73f96d2dbc075370b87c5cebd2e47

SHA256
8451b357aa6fa806f40d0f5e6d48f571aa04bd03a58f1e7920dd28b6706d136f

SHA512
637d6d13441ce884b5bea7e9f119ac3578f40e771b220af08510416c02575964f4b6554fa00785df583a9edaf71776049ff15466c70375e453013feaee27b5d3

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
363KB

MD5
2902a26e01eec8b749916960389b5d46

SHA1
891e91db1da2e59b3ea717368a05e35853c46ee2

SHA256
d1693202099ed0337df59cd737076704a5800ed1ec0935bc08c98956d5f80ef5

SHA512
576359841c0b9e69aba6988e3a195b93dca562d7d07a0f5c8b091d5509c661aae359154fe064f5894236eafda48cedf1dff7009397891e828ebfcc94e8b43c7e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
363KB

MD5
aeb9144b014ab56d47ea6bac4105baea

SHA1
4dfd37dddda4fb3fb76567571b0b955315f41215

SHA256
b7b9f57cb8215b9885645ad83fb349f66f5a6c53c0b20f295b78e324a4c48c28

SHA512
2cb9ab518ee1d31049973d4655011acc901775124a19343279411f38a0eff5d958c525fe6d4768463b83620e6aff93793c6fb88846b02285b9ccd7d4793c2f1f

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
363KB

MD5
5e06f4276f993e1013b779394a6a4719

SHA1
56ccc4d5b7b1150ed5605afdc326efba1e4f82f7

SHA256
6819cb12a5437c7d900a3ea05c0608dfc13bcf47c4aeb760654138b2cada893c

SHA512
8311d23ecb86356c7ee05d7840bdd9fbfe2ef5afe116a23355d89cebd6b62b6db07c3e050ff22f02b44f17464d08828301e3f6c0ed0c98ef9c51f5a79192afb0

Download Submit
memory/1160-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2504-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2664-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3552-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads