Malware Analysis Report

2025-01-18 15:42

Sample ID 240614-ddyzlawfpn
Target 9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe
SHA256 76c02d0a5e08939cade39d4b6d5e1738870a9faae0a472dd474ee343c1a8b108
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76c02d0a5e08939cade39d4b6d5e1738870a9faae0a472dd474ee343c1a8b108

Threat Level: Known bad

The file 9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

persistence

Adds autorun key to be loaded by Explorer.exe on startup

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:54

Reported

2024-06-14 02:56

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Migbnb32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Niebhf32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndemjoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mponel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mencccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mencccop.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nibebfpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mponel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nibebfpl.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Linphc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Linphc32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Niebhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Lbiqfied.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Lbiqfied.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Mgalqkbk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Linphc32.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbiqfied.exe N/A
N/A N/A C:\Windows\SysWOW64\Lbiqfied.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mffimglk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mponel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mponel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Migbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Migbnb32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mencccop.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mlhkpm32.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Mgalqkbk.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndemjoae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibebfpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Nibebfpl.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhipoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Ndhipoob.exe N/A
N/A N/A C:\Windows\SysWOW64\Niebhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Niebhf32.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A
N/A N/A C:\Windows\SysWOW64\Nodgel32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mencccop.exe N/A
File created C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Mlhkpm32.exe N/A
File created C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Kgdjgo32.dll C:\Windows\SysWOW64\Niebhf32.exe N/A
File created C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Lbiqfied.exe N/A
File created C:\Windows\SysWOW64\Effqclic.dll C:\Windows\SysWOW64\Mffimglk.exe N/A
File created C:\Windows\SysWOW64\Cpbplnnk.dll C:\Windows\SysWOW64\Mponel32.exe N/A
File created C:\Windows\SysWOW64\Egnhob32.dll C:\Windows\SysWOW64\Nibebfpl.exe N/A
File created C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
File opened for modification C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Mffimglk.exe N/A
File created C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mponel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Migbnb32.exe N/A
File created C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Niebhf32.exe N/A
File created C:\Windows\SysWOW64\Lamajm32.dll C:\Windows\SysWOW64\Nodgel32.exe N/A
File created C:\Windows\SysWOW64\Negpnjgm.dll C:\Windows\SysWOW64\Lbiqfied.exe N/A
File created C:\Windows\SysWOW64\Hendhe32.dll C:\Windows\SysWOW64\Migbnb32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Mlhkpm32.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Fcihoc32.dll C:\Windows\SysWOW64\Ndhipoob.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Niebhf32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nodgel32.exe N/A
File created C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Linphc32.exe N/A
File created C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mencccop.exe N/A
File created C:\Windows\SysWOW64\Gbdalp32.dll C:\Windows\SysWOW64\Ndemjoae.exe N/A
File created C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Nibebfpl.exe N/A
File created C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ndhipoob.exe N/A
File opened for modification C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
File created C:\Windows\SysWOW64\Nlhgoqhh.exe C:\Windows\SysWOW64\Nodgel32.exe N/A
File opened for modification C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndemjoae.exe N/A
File opened for modification C:\Windows\SysWOW64\Linphc32.exe C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Aaebnq32.dll C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Linphc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mponel32.exe N/A
File created C:\Windows\SysWOW64\Mgecadnb.dll C:\Windows\SysWOW64\Mencccop.exe N/A
File created C:\Windows\SysWOW64\Dhffckeo.dll C:\Windows\SysWOW64\Mlhkpm32.exe N/A
File created C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File opened for modification C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Nibebfpl.exe N/A
File opened for modification C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ndhipoob.exe N/A
File created C:\Windows\SysWOW64\Linphc32.exe C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Poceplpj.dll C:\Windows\SysWOW64\Linphc32.exe N/A
File opened for modification C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Lbiqfied.exe N/A
File created C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Mffimglk.exe N/A
File created C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Migbnb32.exe N/A
File created C:\Windows\SysWOW64\Noomnjpj.dll C:\Windows\SysWOW64\Mgalqkbk.exe N/A
File created C:\Windows\SysWOW64\Cnjgia32.dll C:\Windows\SysWOW64\Ncmfqkdj.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaebnq32.dll" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Lbiqfied.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll" C:\Windows\SysWOW64\Mencccop.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mencccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mencccop.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nodgel32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Linphc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll" C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll" C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mgalqkbk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Niebhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll" C:\Windows\SysWOW64\Lbiqfied.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mponel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll" C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Linphc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll" C:\Windows\SysWOW64\Linphc32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll" C:\Windows\SysWOW64\Mponel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll" C:\Windows\SysWOW64\Niebhf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncmfqkdj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll" C:\Windows\SysWOW64\Nodgel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Lbiqfied.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mponel32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" C:\Windows\SysWOW64\Nibebfpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Niebhf32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Migbnb32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll" C:\Windows\SysWOW64\Ndemjoae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Nibebfpl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Nibebfpl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndhipoob.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll" C:\Windows\SysWOW64\Ndhipoob.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mffimglk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll" C:\Windows\SysWOW64\Mffimglk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Mlhkpm32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ndemjoae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2388 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2388 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2388 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe C:\Windows\SysWOW64\Linphc32.exe
PID 2928 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Lbiqfied.exe
PID 2928 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Lbiqfied.exe
PID 2928 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Lbiqfied.exe
PID 2928 wrote to memory of 2944 N/A C:\Windows\SysWOW64\Linphc32.exe C:\Windows\SysWOW64\Lbiqfied.exe
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2944 wrote to memory of 2604 N/A C:\Windows\SysWOW64\Lbiqfied.exe C:\Windows\SysWOW64\Mffimglk.exe
PID 2604 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mponel32.exe
PID 2604 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mponel32.exe
PID 2604 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mponel32.exe
PID 2604 wrote to memory of 2704 N/A C:\Windows\SysWOW64\Mffimglk.exe C:\Windows\SysWOW64\Mponel32.exe
PID 2704 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Migbnb32.exe
PID 2704 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Migbnb32.exe
PID 2704 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Migbnb32.exe
PID 2704 wrote to memory of 2676 N/A C:\Windows\SysWOW64\Mponel32.exe C:\Windows\SysWOW64\Migbnb32.exe
PID 2676 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mencccop.exe
PID 2676 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mencccop.exe
PID 2676 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mencccop.exe
PID 2676 wrote to memory of 2580 N/A C:\Windows\SysWOW64\Migbnb32.exe C:\Windows\SysWOW64\Mencccop.exe
PID 2580 wrote to memory of 588 N/A C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mlhkpm32.exe
PID 2580 wrote to memory of 588 N/A C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mlhkpm32.exe
PID 2580 wrote to memory of 588 N/A C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mlhkpm32.exe
PID 2580 wrote to memory of 588 N/A C:\Windows\SysWOW64\Mencccop.exe C:\Windows\SysWOW64\Mlhkpm32.exe
PID 588 wrote to memory of 560 N/A C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mgalqkbk.exe
PID 588 wrote to memory of 560 N/A C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mgalqkbk.exe
PID 588 wrote to memory of 560 N/A C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mgalqkbk.exe
PID 588 wrote to memory of 560 N/A C:\Windows\SysWOW64\Mlhkpm32.exe C:\Windows\SysWOW64\Mgalqkbk.exe
PID 560 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 560 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 560 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 560 wrote to memory of 2876 N/A C:\Windows\SysWOW64\Mgalqkbk.exe C:\Windows\SysWOW64\Ndemjoae.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nibebfpl.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nibebfpl.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nibebfpl.exe
PID 2876 wrote to memory of 2144 N/A C:\Windows\SysWOW64\Ndemjoae.exe C:\Windows\SysWOW64\Nibebfpl.exe
PID 2144 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndhipoob.exe
PID 2144 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndhipoob.exe
PID 2144 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndhipoob.exe
PID 2144 wrote to memory of 2772 N/A C:\Windows\SysWOW64\Nibebfpl.exe C:\Windows\SysWOW64\Ndhipoob.exe
PID 2772 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Niebhf32.exe
PID 2772 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Niebhf32.exe
PID 2772 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Niebhf32.exe
PID 2772 wrote to memory of 1648 N/A C:\Windows\SysWOW64\Ndhipoob.exe C:\Windows\SysWOW64\Niebhf32.exe
PID 1648 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe
PID 1648 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe
PID 1648 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe
PID 1648 wrote to memory of 2760 N/A C:\Windows\SysWOW64\Niebhf32.exe C:\Windows\SysWOW64\Ncmfqkdj.exe
PID 2760 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2760 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2760 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 2760 wrote to memory of 1540 N/A C:\Windows\SysWOW64\Ncmfqkdj.exe C:\Windows\SysWOW64\Nodgel32.exe
PID 1540 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 1540 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 1540 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe
PID 1540 wrote to memory of 1276 N/A C:\Windows\SysWOW64\Nodgel32.exe C:\Windows\SysWOW64\Nlhgoqhh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Linphc32.exe

C:\Windows\system32\Linphc32.exe

C:\Windows\SysWOW64\Lbiqfied.exe

C:\Windows\system32\Lbiqfied.exe

C:\Windows\SysWOW64\Mffimglk.exe

C:\Windows\system32\Mffimglk.exe

C:\Windows\SysWOW64\Mponel32.exe

C:\Windows\system32\Mponel32.exe

C:\Windows\SysWOW64\Migbnb32.exe

C:\Windows\system32\Migbnb32.exe

C:\Windows\SysWOW64\Mencccop.exe

C:\Windows\system32\Mencccop.exe

C:\Windows\SysWOW64\Mlhkpm32.exe

C:\Windows\system32\Mlhkpm32.exe

C:\Windows\SysWOW64\Mgalqkbk.exe

C:\Windows\system32\Mgalqkbk.exe

C:\Windows\SysWOW64\Ndemjoae.exe

C:\Windows\system32\Ndemjoae.exe

C:\Windows\SysWOW64\Nibebfpl.exe

C:\Windows\system32\Nibebfpl.exe

C:\Windows\SysWOW64\Ndhipoob.exe

C:\Windows\system32\Ndhipoob.exe

C:\Windows\SysWOW64\Niebhf32.exe

C:\Windows\system32\Niebhf32.exe

C:\Windows\SysWOW64\Ncmfqkdj.exe

C:\Windows\system32\Ncmfqkdj.exe

C:\Windows\SysWOW64\Nodgel32.exe

C:\Windows\system32\Nodgel32.exe

C:\Windows\SysWOW64\Nlhgoqhh.exe

C:\Windows\system32\Nlhgoqhh.exe

Network

N/A

Files

memory/2388-0-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Linphc32.exe

MD5 a6df82231f6a77370bbd06d61828d646
SHA1 39fdad20ae60d297684005621da8dbbfcaf4a089
SHA256 86548e54b8107193c14b6a6ffff6ac922f317b289a1792ed885aede800f5f795
SHA512 171f1ebad41ea45e36c1d21bd05007a667872a9fb0d6f4e9c34ea25d043e4f3ca0336eb3acb88480df865e9038511147fe49012daf0d6ccf11cd34708a94bf78

memory/2388-6-0x00000000003A0000-0x00000000003E0000-memory.dmp

\Windows\SysWOW64\Lbiqfied.exe

MD5 5ea341ba43225721aa9f7388d126fa8d
SHA1 b7eb5af58db18c50ac8ceb57eab96bb10ba00d95
SHA256 775208bd3624f14f1725f9bc0c51bec902611fef82196e00ae76410df63d669e
SHA512 45bc9876006552155699aa413ef064c439fe824acc486cae19bec15cb01f353622b0b6bceca26afbd9e6acb69754087ae4e2c2ffe811f2e46bb65862b101bca1

memory/2944-26-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2928-25-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Mffimglk.exe

MD5 16b676fde7139e6ff097069ce50aeecb
SHA1 fda4bcda75cc9c81e984eef19e5dcc43b3ef65d8
SHA256 4e6050630e785651fe8861c309123056fa34d510af153025a6278d98127377d0
SHA512 9f286490462f33bdac88ae00d7a76725a682b7b1b1857ceb6ad8e29d6ce2aace15572ba344e463d4a5a6e9d9e4b2256541388c0dbe89b336a907dc2ee35d14b0

memory/2944-34-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Mponel32.exe

MD5 f50fd012078497498ced390cee7980e0
SHA1 d70f2ce50d02e54a385511117d4e2ecb8915ef7d
SHA256 6d6e54ce8ea60270c364d0fa34c3d76b4af7b89be80c51629ea3e0caf85d82c0
SHA512 a74be1d46a769733a301dab034418e01b6b5f3541457adad5ed4d69b3354c5da1041c75aae9a12241d55f10eed1cd0b8de36bdc27450a297f2fe715e62aef68d

memory/2704-52-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Migbnb32.exe

MD5 6039a8a1366424491d64c467c03fe5e2
SHA1 352eac16d45a1d080d2a4dd19cd63e87ad90cd88
SHA256 aa66b36469635ce1eca9e0257206022d64c69ccb6a5e7a685575312f6a5da470
SHA512 6f0bf577e075b7b39b03804d09be2d4f9d53700bf5f894a8c3aeb5749deabfdf11053025941b9a1878b572533d2b7f2e42f76b77942192fc659f9ff7d5bc7c4c

memory/2704-59-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Mencccop.exe

MD5 2c86c3e7ec482cde42a735988d2e2f26
SHA1 bdfb789225d2c76a805eac9a01bde5f21c839948
SHA256 aaa03dd34272c42b592c46355f78c7aa5dd8dfafca18b275152f7853fb49419e
SHA512 e50fd23bf712d120b355fe972dadb2a5de2cc9eb44820bde31e4aa7677dbfb9f45a1af3c568d2537602bd0553b8b5bf1d2aa374ca3fd1e57a780dc921731a1c9

memory/2580-79-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Mlhkpm32.exe

MD5 dff62de9589f8d81f0295150f1710f3d
SHA1 fc28c0231ce254bc3b821a401feec2e2ca2679cc
SHA256 e7b698b85a9bb28dc99e133b30b196438ea17cf8ee72270a50afa56242177feb
SHA512 228830a2690881d1f1c0a06b198577f0730af9509bcdfeefa17495a5cd7b25cac7870a248e23f9141692a8d64664de086809cd5ccc36b490ac8b83df63618818

memory/588-94-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2580-93-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Mgalqkbk.exe

MD5 4ba2afb339ad893d7cb4f5fa2bc27edd
SHA1 49d6714bc154590678ca202f49cda9a5461ffa6d
SHA256 ccb3f6afd4c514972109c9d1dc93b7f53803bbce3b97cbbffef2dd1203ae0fc6
SHA512 63a8136989791b120a45a4b03a08d175faaa97bb09a28efa74e6119e01ae83bafe45d72d4d1518fac076aebb3b2583f7b64efa89f279b641ee19d5f8b033f406

memory/560-107-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2580-91-0x0000000000220000-0x0000000000260000-memory.dmp

\Windows\SysWOW64\Ndemjoae.exe

MD5 235a4dd013280306b9bb26699bb9a600
SHA1 b3b7b65919ec382f34b2ced9a9cc7c29b4e8700e
SHA256 ede31cdf5112efa5947c8cfa25474e680ddf0dd603a16766a64e76afa88f7f9c
SHA512 d064f496a51f969b87b9eb9268fa17903bb2fc02b1d18f079bf68e0d5074b0582bc728e7b0839b90ec700c6b241ae37aacd3382f35104648acd85b402faf84e2

\Windows\SysWOW64\Nibebfpl.exe

MD5 b0f750aca25fd49d08dc9509cab9a2d9
SHA1 4e178658b010b30c36ee35a4d2ba8951bc37b6ea
SHA256 d9e4aa2af163b80fb256f1c017b2171d8b695d5dc59c12c00efdb76125f254fb
SHA512 0d01237beedff0d57c28913b83e6410dc98e329c1ac12a75d71de2111a0c889ee6205d3d12474a30ada3bd4abf43c3e48583d274a4a9c18c0694dd8f509e95f9

memory/2144-134-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ndhipoob.exe

MD5 d37e18cafe62ebe8e475cbf2ee769f71
SHA1 bf8827c2bb8cf2fe0c494069cf9e7a7ddc8b2a91
SHA256 31827b4e6a1bd4b785d4064ad057e7d9780cde82f5020d5149b372939a657c05
SHA512 3c3dbd29a95563f91602dfc7aebf4f7d5885bac29bf7e1d00eb1d405dbfde547adfc9c433dfa4b6ac4fb04416421479a5f456e6bd4b5d66a96c2fb13d1c55657

memory/2772-151-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Niebhf32.exe

MD5 eafac1dfc599a3419db118beb65572c7
SHA1 ca1c435b5c0b4017732a9ac25a57345572039361
SHA256 fc971a7475c1620116dfc7e0c992005ea27c7a702a445c2386804d0163228fd8
SHA512 25c6e581e5d34ddaa5fe92024cab5cd3a76eb10eda542b6355b24b4b00be0f892150f8497970024e2c27215a8132620131187a207ccdffbc07914b1bddf5712e

memory/1648-159-0x0000000000400000-0x0000000000440000-memory.dmp

\Windows\SysWOW64\Ncmfqkdj.exe

MD5 2e443613d3b6a6b0996fa86e214815b5
SHA1 48936dab1c360281f059ecc9423557cb08c5d164
SHA256 fa3bdb09b50325e2f3d83024915ab7fcc69cccf0ab2cc2a9df26ae9e6bcadb2a
SHA512 7424de1026aae15b8721f72382821f329a131bb52b01eac50963500fb45a517cf0bb38d3debaa0ac396b62012bdb5bd9a9e0abb6391ff81eff8b4241f6a3d2aa

memory/2760-177-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nodgel32.exe

MD5 b71622cf017c997c636b770d29ca9581
SHA1 be53a8fdb75cf8bce7634e04ef87823d3ad37b4a
SHA256 d8b2232595953feb6005438eec93d0d9946ed0234f0ca12f66970c67cdd87fac
SHA512 21d36b6c008d602867d19541806f50eb66378c5e976aadedeb18db5c4187c5d0d3ca9b4faea3257f525c9368aa7579a6bb9efa284eb55d56c5de8eb848492119

memory/1540-198-0x00000000002D0000-0x0000000000310000-memory.dmp

memory/2388-213-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2928-214-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2944-212-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2676-211-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2604-210-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2704-209-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2580-208-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2876-207-0x0000000000400000-0x0000000000440000-memory.dmp

memory/588-206-0x0000000000400000-0x0000000000440000-memory.dmp

memory/560-205-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2144-204-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1276-203-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1648-202-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2760-201-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1540-200-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nlhgoqhh.exe

MD5 0fba1726513d3df25ded54b3a2d6530b
SHA1 a3b468f1aa4f54c2ebb7676f1d419e1d8baffb15
SHA256 7882cd3905bd4354e8e0ca1de615787d48f086fd470cd9066f2881761c5da725
SHA512 c99b6d1ee07b98d69d20d7ffde86bc4ca0796966b814106c6f9cd3bd92b3ee586aa9cc24080fc69cd70cf616944d4b7c411e74f0a43bf26c8441fff946969486

memory/1540-186-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1648-171-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2876-120-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2676-78-0x0000000000440000-0x0000000000480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:54

Reported

2024-06-14 02:56

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" C:\Windows\SysWOW64\Ncldnkae.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Ncldnkae.exe N/A
N/A N/A C:\Windows\SysWOW64\Nkcmohbg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ncldnkae.exe C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Ncldnkae.exe C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Dlddhggk.dll C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ncldnkae.exe N/A
File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe C:\Windows\SysWOW64\Ncldnkae.exe N/A
File created C:\Windows\SysWOW64\Hnibdpde.dll C:\Windows\SysWOW64\Ncldnkae.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\Nkcmohbg.exe

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 C:\Windows\SysWOW64\Ncldnkae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" C:\Windows\SysWOW64\Ncldnkae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9ce0c5f545dfc9693e51c4a400494120_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Ncldnkae.exe

C:\Windows\system32\Ncldnkae.exe

C:\Windows\SysWOW64\Nkcmohbg.exe

C:\Windows\system32\Nkcmohbg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3828 -ip 3828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 400

Network

Country Destination Domain Proto
US 52.111.229.43:443 tcp

Files

memory/4440-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4440-1-0x0000000000431000-0x0000000000432000-memory.dmp

C:\Windows\SysWOW64\Ncldnkae.exe

MD5 92f89e5fb7dba0fdf02ad073083149ab
SHA1 ceb7415c5b73a50cd176c1c0518cd40e66e1f626
SHA256 20b534211065e88dce3c3fa1f67901fbf4d5edb3dfbe9704c332210b6cdd55b6
SHA512 b495342d314ee0bdeaafa1780d5f9535d8b57e22c60ba1702cf0747a57e51f96bc14444d59c7db21f7cab0a289a84df166eac7b0ec9023bf0d33523dae5127ed

memory/1628-8-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3828-16-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\SysWOW64\Nkcmohbg.exe

MD5 71b0e2c5261ca307a5dd738d61320184
SHA1 be2ba158213f068a8a5a7422bf9c1fa10e890fb3
SHA256 93541cf41d4be04c98167398f079ec8e4be310d5f88ad6816dfbe156c8d82cde
SHA512 14e4eda4952e3c30d89fbd9cf1f82f0b0a3dba1b40874e33b44d731a7d9d6de350ef342e92d0371b041e380afeb748dafa4a665045494cc874061289920d1294

memory/3828-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1628-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/4440-20-0x0000000000400000-0x0000000000440000-memory.dmp