399291c4d380e3d17db8cd04346d978cd54f5494ccd787b6eaa2a2a4e36bb9de

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe
Size

1.9MB
MD5

3fc77f3f1bfa211e47d662fba0bbb810
SHA1

c9211f3898b31746cfe77edadd90f3894ec4d690
SHA256

399291c4d380e3d17db8cd04346d978cd54f5494ccd787b6eaa2a2a4e36bb9de
SHA512

dbbdb262c3db172c5d9d811bd19dd9e2bb429d2c7563debc6f5d53d3cabaca164d0aaaf8fb24b9670298d64d1b94dfb5186c218c4c891ae5773b56234af8a334
SSDEEP

24576:t6zoMzPoEcmUBa/irwbORluFQlijyOU8FEsuIfVH5E14H7vmVCx:tmfcvU/ir4ORYFeHK6IfVH5E14bvm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3840	regsvr32.exe
3960	3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8681942-91AC-455D-873F-A99900B36689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF256DC4-283D-4352-A399-6FA3BADADF06}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8681942-91AC-455D-873F-A99900B36689}\ = "__clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C170C4D-5530-4032-995B-01DBEBD905C8}\Forward\ = "{9251731F-C01A-41B7-AE20-0C8077BB05F7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\TypeLib\Version = "42.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8EA9082-0E00-4AA1-B787-F85F7E1152D3}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6290DA5-313D-4716-BBC6-683A29BDD342}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2033585-B3B9-44AE-8567-CA7AFE33731F}\Forward\ = "{D8681942-91AC-455D-873F-A99900B36689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ = "_clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8EA9082-0E00-4AA1-B787-F85F7E1152D3}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DFEFB1B-7223-4FAC-8F58-CC50446A605A}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6290DA5-313D-4716-BBC6-683A29BDD342}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\TypeLib\ = "{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6290DA5-313D-4716-BBC6-683A29BDD342}\ = "clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2033585-B3B9-44AE-8567-CA7AFE33731F}\Forward	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}\42.4\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\TypeLib\ = "{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40461576-79F8-4786-9942-5BC7DC9BE251}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2033585-B3B9-44AE-8567-CA7AFE33731F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF256DC4-283D-4352-A399-6FA3BADADF06}\Forward	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8681942-91AC-455D-873F-A99900B36689}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ = "clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3DFEFB1B-7223-4FAC-8F58-CC50446A605A}\ = "clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8681942-91AC-455D-873F-A99900B36689}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40461576-79F8-4786-9942-5BC7DC9BE251}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MUtil.clsUpdate\ = "MUtil.clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40461576-79F8-4786-9942-5BC7DC9BE251}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6290DA5-313D-4716-BBC6-683A29BDD342}\Forward\ = "{D8681942-91AC-455D-873F-A99900B36689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8681942-91AC-455D-873F-A99900B36689}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8EA9082-0E00-4AA1-B787-F85F7E1152D3}\Forward\ = "{D8681942-91AC-455D-873F-A99900B36689}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8681942-91AC-455D-873F-A99900B36689}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8681942-91AC-455D-873F-A99900B36689}\ = "clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C170C4D-5530-4032-995B-01DBEBD905C8}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF256DC4-283D-4352-A399-6FA3BADADF06}\ = "clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40461576-79F8-4786-9942-5BC7DC9BE251}\Forward	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C170C4D-5530-4032-995B-01DBEBD905C8}\ = "clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C8EA9082-0E00-4AA1-B787-F85F7E1152D3}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}\42.4\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\TypeLib\Version = "42.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\VERSION\ = "66.4"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2033585-B3B9-44AE-8567-CA7AFE33731F}\ = "clsUpdate"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40461576-79F8-4786-9942-5BC7DC9BE251}\Forward\ = "{9251731F-C01A-41B7-AE20-0C8077BB05F7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF256DC4-283D-4352-A399-6FA3BADADF06}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81EDB299-417C-43CE-928A-DDA36F54B423}\Forward\ = "{9251731F-C01A-41B7-AE20-0C8077BB05F7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}\42.4\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8681942-91AC-455D-873F-A99900B36689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C170C4D-5530-4032-995B-01DBEBD905C8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81EDB299-417C-43CE-928A-DDA36F54B423}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E1AAB92-DEDC-4DB4-BD41-1730D818E093}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9251731F-C01A-41B7-AE20-0C8077BB05F7}\ = "_clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5EE89D90-6D35-402D-B0D8-E06CDF332E67}\ = "MUtil.clsUpdate"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF256DC4-283D-4352-A399-6FA3BADADF06}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3960	3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 3840	3960	3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe	82
PID 3960 wrote to memory of 3840	3960	3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe	82
PID 3960 wrote to memory of 3840	3960	3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3fc77f3f1bfa211e47d662fba0bbb810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\mutil.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mutil.dll

Filesize
264KB

MD5
5fdb19dfdc2f3b31138d2febbfabb4f7

SHA1
dbdbeed3f8a9ad7d3135fd58147d9c11d51dda5d

SHA256
414d12077f835d35448a1869b1bc6fe9449f2f950553b2f98aea7d1221a40812

SHA512
cd3afeca3f94253d9c3ffa97726867a0017db4fc7dfa9f6d3b0a219e1b492a676b0c5077b9753d17e89c943edfd491127f0bce1c2fe2623afd1e3438d032638b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads