c66fdd6e13562b28d22bf8ddfaa63bea4c69ebeeeb83a219a88cf62a02c5bd10

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Size

582KB
MD5

bf059cf691c111d9750965a6ea932770
SHA1

371a42a463a3a5bb63fe786487074b0102fed8bb
SHA256

c66fdd6e13562b28d22bf8ddfaa63bea4c69ebeeeb83a219a88cf62a02c5bd10
SHA512

220ae5970f30834fbc467c413e80483f98c9acab90576c02399aa75393912a0ad3e619112e87b28f259c66f9a7e87bd97388711e4f8cb488f29cfbfad12fdae0
SSDEEP

6144:PxeInuXoD7+1bRtPcCrhCRkR/+MG7+1bRtPcCrhxPSHlV2Yj6egLCCGP7+1bRtPN:Xny2YNrekcPYNrq6+gmCAYNrekcPYNrB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe

Executes dropped EXE 15 IoCs

pid	Process
2200	Mpolqa32.exe
4288	Mcnhmm32.exe
3348	Mglack32.exe
3304	Mdpalp32.exe
900	Nnhfee32.exe
3356	Nqfbaq32.exe
4740	Nddkgonp.exe
2596	Njacpf32.exe
2892	Nbhkac32.exe
1228	Ndghmo32.exe
2888	Njcpee32.exe
5068	Nbkhfc32.exe
2348	Ndidbn32.exe
3896	Ncldnkae.exe
1028	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process
728	1028	WerFault.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2200	3252	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 2200	3252	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 2200	3252	bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe	84
PID 2200 wrote to memory of 4288	2200	Mpolqa32.exe	85
PID 2200 wrote to memory of 4288	2200	Mpolqa32.exe	85
PID 2200 wrote to memory of 4288	2200	Mpolqa32.exe	85
PID 4288 wrote to memory of 3348	4288	Mcnhmm32.exe	86
PID 4288 wrote to memory of 3348	4288	Mcnhmm32.exe	86
PID 4288 wrote to memory of 3348	4288	Mcnhmm32.exe	86
PID 3348 wrote to memory of 3304	3348	Mglack32.exe	87
PID 3348 wrote to memory of 3304	3348	Mglack32.exe	87
PID 3348 wrote to memory of 3304	3348	Mglack32.exe	87
PID 3304 wrote to memory of 900	3304	Mdpalp32.exe	88
PID 3304 wrote to memory of 900	3304	Mdpalp32.exe	88
PID 3304 wrote to memory of 900	3304	Mdpalp32.exe	88
PID 900 wrote to memory of 3356	900	Nnhfee32.exe	89
PID 900 wrote to memory of 3356	900	Nnhfee32.exe	89
PID 900 wrote to memory of 3356	900	Nnhfee32.exe	89
PID 3356 wrote to memory of 4740	3356	Nqfbaq32.exe	90
PID 3356 wrote to memory of 4740	3356	Nqfbaq32.exe	90
PID 3356 wrote to memory of 4740	3356	Nqfbaq32.exe	90
PID 4740 wrote to memory of 2596	4740	Nddkgonp.exe	91
PID 4740 wrote to memory of 2596	4740	Nddkgonp.exe	91
PID 4740 wrote to memory of 2596	4740	Nddkgonp.exe	91
PID 2596 wrote to memory of 2892	2596	Njacpf32.exe	92
PID 2596 wrote to memory of 2892	2596	Njacpf32.exe	92
PID 2596 wrote to memory of 2892	2596	Njacpf32.exe	92
PID 2892 wrote to memory of 1228	2892	Nbhkac32.exe	93
PID 2892 wrote to memory of 1228	2892	Nbhkac32.exe	93
PID 2892 wrote to memory of 1228	2892	Nbhkac32.exe	93
PID 1228 wrote to memory of 2888	1228	Ndghmo32.exe	95
PID 1228 wrote to memory of 2888	1228	Ndghmo32.exe	95
PID 1228 wrote to memory of 2888	1228	Ndghmo32.exe	95
PID 2888 wrote to memory of 5068	2888	Njcpee32.exe	96
PID 2888 wrote to memory of 5068	2888	Njcpee32.exe	96
PID 2888 wrote to memory of 5068	2888	Njcpee32.exe	96
PID 5068 wrote to memory of 2348	5068	Nbkhfc32.exe	97
PID 5068 wrote to memory of 2348	5068	Nbkhfc32.exe	97
PID 5068 wrote to memory of 2348	5068	Nbkhfc32.exe	97
PID 2348 wrote to memory of 3896	2348	Ndidbn32.exe	98
PID 2348 wrote to memory of 3896	2348	Ndidbn32.exe	98
PID 2348 wrote to memory of 3896	2348	Ndidbn32.exe	98
PID 3896 wrote to memory of 1028	3896	Ncldnkae.exe	99
PID 3896 wrote to memory of 1028	3896	Ncldnkae.exe	99
PID 3896 wrote to memory of 1028	3896	Ncldnkae.exe	99

C:\Users\Admin\AppData\Local\Temp\bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bf059cf691c111d9750965a6ea932770_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\Mcnhmm32.exe
    C:\Windows\system32\Mcnhmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\SysWOW64\Mglack32.exe
      C:\Windows\system32\Mglack32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
      - C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 412
        17⤵
        Program crash
        
        PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1028 -ip 1028
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hlmobp32.dll

Filesize
7KB

MD5
d4674c31eb342714f7f49380cec39888

SHA1
fa167a137beca181578c8dd7e78d047dc0fd2df3

SHA256
4bbbb23681fdf6a23c5f98d16b5a84e3ebe4bfb77b50ffdb71b18041ae70dab3

SHA512
3e0dff3bf814e84468f8c5feb7413bdf7eab9e443e4dc9f73478ae6a3a00fed9ea4c549af1e66a5e83a0a52cfef9a5c385d435c115ac8c12125d4a2786161590

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
582KB

MD5
69f7fd0c20485039c2363577612966cb

SHA1
db131c22f47175eb2ecc39b780c601a431d5d584

SHA256
4806adb28ba5bffd9e5b8fc6bffbda7ce0a93f3b1f54d62f2daa25c78e8e302a

SHA512
2056f6ac2c6773b2cbe5dffbab264748a9aa7f5da5965740eb14c7601ec6c2d8f0272fea7e32c276b0d684d2a4c8fe40bc55d888788d30312560fa2ae19e7682

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
582KB

MD5
a42db622140626250c3be13f86bf4897

SHA1
964fab9fb5ccb5c5e2ec157edf9f7c1ce8bfdabf

SHA256
7890a14794feca870701736bae4752723dafce01d64771220f0e0ba31bba0a93

SHA512
889251f0e4eb2c9e0dd7633ce308f409247c04df5ac6d162d1c21e13356dee627e36e45ca82c35fb0fa5a24e779b8dd7cd813b9b690b11b10dc5f49e8c33718e

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
582KB

MD5
d98068054c60c2a3021f1d7118af8d11

SHA1
78ed278f1514338ec6ecc4406cf155ba22a1069f

SHA256
d1d020623c22af60a7d91acfd82d9251011a4ffbbcd9b80944eeeeee7331b46e

SHA512
2af6cdf5fe77d410bfaa046b1efd8d5fa8f5479f3ac8d7cff9d05185ffc31bec71d1a701cce1f34b5d7b2be587d8fc6cf88efa379a20016f6fb9488d48da5be8

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
582KB

MD5
db504ec226cf9834422a606d3165517a

SHA1
6dd2aa5bac1b60185a70c996fc799e11c2621bfc

SHA256
35445f18a3227de3f98916d9432e8f6597f4dc29a49ea35d554811637d47410b

SHA512
166c15d0761395972b6a127b39ad93e98cf0e44fb0928fc6dd966fd00d7a857976ee3681d2c997acaa6c64b4a25a3b8f316422852ec72bc3fe5bd372be0b9dd0

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
582KB

MD5
7fe4726652f99ecd00c2af6f2e3c72a3

SHA1
d73d5220831fac6dfa692e5a20dbd848426c0f96

SHA256
8af6bbda907c717596723170bf696120336c9e3a30a9807e721a532a393e4718

SHA512
a471d21fcb5b81fd48f3a27f22f02c05e17634743ead9307d903dcf0e4b4f24c0af77198b79227ff7c69cf35d7c8d404388b1ca545f54e90dd1f24aa79a723bf

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
582KB

MD5
30efde416fa1fd8d75c3525a78716d7f

SHA1
818e8f444f0c42fe25a2783e415ff4eba09e4d6b

SHA256
9b20be2820a274ef4c3b720862ced4936d08dec7d4fe8b18947a8e568140b514

SHA512
c4ed3dab368cf94e8c335ea45b76ea5e1843a1eb5fc6a4ba516b877943b7fcafd5bbfde272998ef50a7e7b0f9ee61a7ce15c9c428fd61d97efb5e8e58a79b476

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
582KB

MD5
24211e48f896101ec6f9beb99b1166d6

SHA1
6aa476fe2df9f117e49e501056ccdca1a5533e12

SHA256
9913791a3e349e59139f9f1f688ae6187b833f3d13f563f4236925657455b478

SHA512
2349583461a5c9bda04d55b2cf6cebf1cf1543bf1f3b317494efa4b1668d82640d626b9ba258f69414a6b27c8b6a9ff01c1d3f39132314580a9d21120afb6ae5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
582KB

MD5
417afb01e7c5b0f50853a9aea7d9192c

SHA1
9efe044c268c32c0a88791a08050b1c3dc8e1a6f

SHA256
af90accb0e29d53601dc7aeced9e1a1ea9bc3eb685776b2f0785ac09ab73ed1b

SHA512
f113695352af75a39215a4cf42d55a802eb03bbdcc41a12a5899e49d1af92044dc4cb444889287863e1488f1e79dd1ba85d9b3d990be3be9216ec6851517ab69

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
582KB

MD5
3705f31d9ca905735f6bc78a6a5f612a

SHA1
2287aa1d6075690984af609eef4550522bf7f907

SHA256
cf82ecfd14b3358f77c05b762539a2c0a7250847cb59b684a1a491ff05c66236

SHA512
1a9d21684ea04d9fdab95f4ec5c08026cfde3c204021fe35adb881feda0738c30d5c9983853ea3dcf626e07170aef61ce577836db55d86114e334e3c4584cdc4

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
582KB

MD5
c076334995042028777a69cac20de055

SHA1
5336cb8fb8afef4f088b881383cd2843c432779e

SHA256
3b813910d431d17c30f58bc3da735557987485c70096e4420cd31229cf265a4c

SHA512
e3312d5a446aabaa610ddd646a1c3d3f05432f46726e54b3fdc0ef53ac090f769400f70b2186cbcdde67d4494e7a2b9fdd1ae06d6a091a79463885bbd47b9835

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
582KB

MD5
7639199f8641821dcc1accb1f6ce293d

SHA1
9bbe7bde73fe45dcbbc79a6af4516051fb5b99b1

SHA256
dcc39b3b71a5149cc2b170cf4db44d9e73af9b1b86fba63048e3420051af6f08

SHA512
90ad9fd7e7a7adeea8a6aab3c1093f2b65a12c264a0884e0859c2d0dfbaf5f5f63ce3cac0c91de1bff6add1f44722b54de0a014a723edfd93349c153021ba071

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
582KB

MD5
7dc3b63dbd22e2f29cf5d33c51a77a1b

SHA1
225259d372259c12e8335cdce65e30373cf61913

SHA256
88b55ad07075e9193dfb84229fd215812cc763f0849d7376eecc2489de467584

SHA512
120a060ed1611b325a8ad9c7a0bbba279744f2b7108dd7a9950d615a1f68d49429769dc3970895de8583e99ad69d4100adc150ab90c15e59510e3a9975d633f5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
582KB

MD5
0d30cb0a45454fd16202e50d82684225

SHA1
26e4e80d631c0e17a992e0bfabe73ab61cc0fe79

SHA256
4d1c92769297631f81034013391de3a556991a9b93a9b160ff7f28284fc07ddd

SHA512
d171108c7d9a3bbe74184b54860258c47f9963e0b5cdb252cac309563e382e37333700f8faa0b3dc339b885c7aa9726af940b5ef6c7fb23f944d9b5908d84547

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
582KB

MD5
1aaa7f44c94a46e79c5f0bc50a53c396

SHA1
d863563202f6f8dcaa7bb51fb8b615a77d28ffd5

SHA256
28087e2275c18738b518e004db79f48fea7c400ec36a4e24105e6557ee1d7b8e

SHA512
c5fb8355b6ea6c26f383cb7e41611268315cbeda70b07772af1ccde0a8065bd25c059fbacb2f71dd1a67ecdae03ceae722e0c652c566583f7ba1254cd037778e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
582KB

MD5
4b043cf7d1081f6344ef30c1c08f9802

SHA1
d17d9b45dbf8da13d4d61aadbad6b6fd934e0d60

SHA256
5306805c069d43d4dc5a1c2e724b53a67db30d5c2f6c8a7cbbfb5988f6105603

SHA512
2c959607ef57d8bea7489f91b5f5e3faed1c15dfb41891646fd1e4f1180c553619c09aa30239fcc16c18e81b9f3e4dd40b09199a5100195b7eb20549578ced6b

Download Submit
memory/900-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/900-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2348-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2888-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads