Analysis

  • max time kernel
    51s
  • max time network
    55s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 02:27

General

  • Target

    241948d342c6c3377e3700afc52e6be0_NeikiAnalytics.exe

  • Size

    320KB

  • MD5

    241948d342c6c3377e3700afc52e6be0

  • SHA1

    1694f02f7e6d7b9b8eca6a78a9fd914932797205

  • SHA256

    756715ad6f5ec1101dfd9cb4f2181f1c96c58f6fce67364caeae7454effd895b

  • SHA512

    4259e532dadf6ec97d939e63c482db57027810b832bb5ca511eb9261d147ed11d7c1f71de07575093d8694e601be7b785264b6c024f1d95403b8ff44df491f50

  • SSDEEP

    6144:/OlgV6JUSULAYCtE07kli0KoCYtw2B0Ddu9szWfx09UBIUbPLwH/lLOUaR/N1I0Y:/97sYJ07kE0KoFtw2gu9RxrBIUbPLwHT

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\241948d342c6c3377e3700afc52e6be0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\241948d342c6c3377e3700afc52e6be0_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\SysWOW64\Nnmopdep.exe
      C:\Windows\system32\Nnmopdep.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\Nqklmpdd.exe
        C:\Windows\system32\Nqklmpdd.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:436
        • C:\Windows\SysWOW64\Ncihikcg.exe
          C:\Windows\system32\Ncihikcg.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:220
          • C:\Windows\SysWOW64\Nkqpjidj.exe
            C:\Windows\system32\Nkqpjidj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4372
            • C:\Windows\SysWOW64\Nnolfdcn.exe
              C:\Windows\system32\Nnolfdcn.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1844
              • C:\Windows\SysWOW64\Nqmhbpba.exe
                C:\Windows\system32\Nqmhbpba.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4496
                • C:\Windows\SysWOW64\Ncldnkae.exe
                  C:\Windows\system32\Ncldnkae.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1416
                  • C:\Windows\SysWOW64\Nkcmohbg.exe
                    C:\Windows\system32\Nkcmohbg.exe
                    9⤵
                    • Executes dropped EXE
                    PID:812
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 436
                      10⤵
                      • Program crash
                      PID:2848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 812 -ip 812
    1⤵
      PID:4504

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Cknpkhch.dll

            Filesize

            7KB

            MD5

            449cdc6f5dd3f341c8b3270f83efd863

            SHA1

            8770f938437d676ff659c0976307426be540a03b

            SHA256

            9f7a8d536dff39943ea85c92c5b556e6ad9e956166e4270081fd8984c31f447c

            SHA512

            ca8dfeabc1079393e387c5dfd26988ff7db07bd85aed4e2309b143f5c8abf6201874524d4df5ed5dbdb7f497a913b1f8d39e204bdb0a4cfce7e4585f3f9838b2

          • C:\Windows\SysWOW64\Ncihikcg.exe

            Filesize

            320KB

            MD5

            2d1886e20eaa2e11d13852e05a66e22f

            SHA1

            8911c43f66173c20efdd385420ac1d37850b9b34

            SHA256

            3dd0901f2bc1e5aaa8f9b75302207e6b0127d0965974dba691e3310b5ce0f2d6

            SHA512

            ab66f9d215613b7697af22e1a03edef2eedc9d8f971f697a9378f825cc873ef391dc798d4e127f8f19a88f0e66f0b9f27f5277809c5f96f5a78d09f4d660ae00

          • C:\Windows\SysWOW64\Ncihikcg.exe

            Filesize

            320KB

            MD5

            cedcbe60f6754df7b7f956c4f45980fb

            SHA1

            93b017caac01b82de59288d1d0a16e1e9e85d7f8

            SHA256

            dbe1a863ca73d51188f666e8904d0367994fa26117c2643a646996f4cea35b48

            SHA512

            d5f1eab8360bd77fad60cf934c6efeb2b6a4e6fe1394b05ae244c02d601be4971ebd5a1df57c607ae4186c9a4628ca856a3fea3860bf1b9b6f5bfb65b5445093

          • C:\Windows\SysWOW64\Ncldnkae.exe

            Filesize

            320KB

            MD5

            8050af21579f608f5787a002445b9cf1

            SHA1

            807db3c2a0446790658a0e847444630eee0a3dc8

            SHA256

            71a1cc90bc95ebd7a8273d38039e1af86969748f55fe1b44207acad9cf4f402b

            SHA512

            6f5289d37ff4a144c71e0884e44a3777f21b589d6f1d8ba0b210fd6e04b2d972111e2ce305c5c9885bab13017f4c875fd0100e95a18925fbdb75c81f0cf1d54c

          • C:\Windows\SysWOW64\Nkcmohbg.exe

            Filesize

            320KB

            MD5

            3b824020b1cbd346c1813c4267b7632e

            SHA1

            07f4e38036baf8eb82146a04ab86a9e51b068ce9

            SHA256

            f4b0ad1930b81c369d981704bdbbc26e904c4f88e44a790bf40f0bf8d9263d51

            SHA512

            f2aacc46b276a832dfe847b178f8907aafda2576790472c0b3854155a441b7d32486c5d9d95b6734ce7e995a890af63e1735551a3f23af40b7616ed9a5e50477

          • C:\Windows\SysWOW64\Nkqpjidj.exe

            Filesize

            320KB

            MD5

            22291b7bcbc76c34a8d6efa7a8bfc1ab

            SHA1

            7c2fd57d45ef44bdc3273aca1501c390d8638fe8

            SHA256

            e9d3fb2210cccfed8b7ef52504f23e5749a9d778a107ece8a62a6b930885ffac

            SHA512

            2e9f42d9056894aa27d883f463dee9f44a37c59eb6979e330eba56bc7f239a5cc00d5354597a379338c3d4dac7cd0ca7711be400bb2df00f2ca87b83f351dc85

          • C:\Windows\SysWOW64\Nnmopdep.exe

            Filesize

            320KB

            MD5

            8556f9ac860c6e27b10d799c024bbea0

            SHA1

            aae9f020b9d93959ffb5ffea01c3923373bf9229

            SHA256

            75b32450748c6d40bea91d1f632aa15bca9229bb9359e2f7a8c1e392deafe410

            SHA512

            6726652db6c7ba2a750a62ca633b884dd5c06ae73aa120a5d929be86b7d2ecb31fa439e8e9829c64b5221c6f4837f30a38b01b20b612e6103b008692669ec4cf

          • C:\Windows\SysWOW64\Nnolfdcn.exe

            Filesize

            320KB

            MD5

            567dbc9ef1dfa623aa3d43f8380e34b2

            SHA1

            2b73f2b5c96d4275b5ccd354bfa346d7f6af9dbf

            SHA256

            cabaa39dc30a9fc82f2428e549a40c0823866f5d244d1ce98e232dd5101e2ee1

            SHA512

            dbaa30a4bdb7e6279858791e4c6f7edfe83611015990c28f4974e876d7e2b52f505df31049fa45dc4a72d02d586dc23596a49238e7e746fe99ebe84b852eb9df

          • C:\Windows\SysWOW64\Nqklmpdd.exe

            Filesize

            320KB

            MD5

            bc1003195b13ebd937dffc5c20313eee

            SHA1

            a1bad83cd23285ef9c6e63bfd969e3fcb0e7c715

            SHA256

            2d5df4a300a150cf0a1cd669ff9f32d745347fc0b4d3ba38ffcc420363810d3b

            SHA512

            3f71531bfe8d285d3bd249360103ec4790c168a2875a1b35a26e384aaf03af770c57854f0115aed80e8d933515c9a9d823dce22717db7fb7ebdad63cba6685fd

          • C:\Windows\SysWOW64\Nqmhbpba.exe

            Filesize

            320KB

            MD5

            2307f8095962c2a96ee0aaed405b6a80

            SHA1

            be385966a65af11548cec162e6e18d89c8f8def0

            SHA256

            92b25f7760f5ca09c6d5ead48e4ef0794a604115822686ef9fa869a9ca911308

            SHA512

            0611f44f90f1a4b559fc0cbf74b632371e1e8818ea9f3805daceced8e5e121f67e0d1296acde9345b7ebf06e27696503b7495bb6d84456ccf58dc174399cc12d

          • memory/220-70-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/220-24-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/436-71-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/436-16-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/768-72-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/768-8-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/812-63-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/812-65-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1416-66-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1416-56-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1844-40-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1844-68-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3440-73-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3440-0-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4372-32-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4372-69-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4496-48-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4496-67-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB