53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Size

1.9MB
MD5

4f54d2ea044f709a1f22c1ca3ac0d9e0
SHA1

8d64158bbbe3270b79eacde30a28eb372ebba955
SHA256

53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f
SHA512

f1b3835332b9774fa7aebe4ffcc5e9cec7d72022eb8c0c66110dc6b939a5fdc3e16f2ace5bf2513db8baebe33a2e3849f62eb9409df3c4f55e46b34f0cbaf687
SSDEEP

24576:RwNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:Ryj1yj3uOpyj1yjH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe

Executes dropped EXE 13 IoCs

pid	Process
4764	Kkpnlm32.exe
1668	Kmnjhioc.exe
3196	Kdhbec32.exe
2724	Lgpagm32.exe
4868	Mciobn32.exe
1644	Mnocof32.exe
4500	Mkepnjng.exe
4948	Maaepd32.exe
3188	Nqfbaq32.exe
5100	Ncgkcl32.exe
4392	Nnolfdcn.exe
3912	Ndidbn32.exe
2404	Nkcmohbg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	2404	WerFault.exe	94

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 4764	4684	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe	82
PID 4684 wrote to memory of 4764	4684	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe	82
PID 4684 wrote to memory of 4764	4684	53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe	82
PID 4764 wrote to memory of 1668	4764	Kkpnlm32.exe	83
PID 4764 wrote to memory of 1668	4764	Kkpnlm32.exe	83
PID 4764 wrote to memory of 1668	4764	Kkpnlm32.exe	83
PID 1668 wrote to memory of 3196	1668	Kmnjhioc.exe	84
PID 1668 wrote to memory of 3196	1668	Kmnjhioc.exe	84
PID 1668 wrote to memory of 3196	1668	Kmnjhioc.exe	84
PID 3196 wrote to memory of 2724	3196	Kdhbec32.exe	85
PID 3196 wrote to memory of 2724	3196	Kdhbec32.exe	85
PID 3196 wrote to memory of 2724	3196	Kdhbec32.exe	85
PID 2724 wrote to memory of 4868	2724	Lgpagm32.exe	86
PID 2724 wrote to memory of 4868	2724	Lgpagm32.exe	86
PID 2724 wrote to memory of 4868	2724	Lgpagm32.exe	86
PID 4868 wrote to memory of 1644	4868	Mciobn32.exe	87
PID 4868 wrote to memory of 1644	4868	Mciobn32.exe	87
PID 4868 wrote to memory of 1644	4868	Mciobn32.exe	87
PID 1644 wrote to memory of 4500	1644	Mnocof32.exe	88
PID 1644 wrote to memory of 4500	1644	Mnocof32.exe	88
PID 1644 wrote to memory of 4500	1644	Mnocof32.exe	88
PID 4500 wrote to memory of 4948	4500	Mkepnjng.exe	89
PID 4500 wrote to memory of 4948	4500	Mkepnjng.exe	89
PID 4500 wrote to memory of 4948	4500	Mkepnjng.exe	89
PID 4948 wrote to memory of 3188	4948	Maaepd32.exe	90
PID 4948 wrote to memory of 3188	4948	Maaepd32.exe	90
PID 4948 wrote to memory of 3188	4948	Maaepd32.exe	90
PID 3188 wrote to memory of 5100	3188	Nqfbaq32.exe	91
PID 3188 wrote to memory of 5100	3188	Nqfbaq32.exe	91
PID 3188 wrote to memory of 5100	3188	Nqfbaq32.exe	91
PID 5100 wrote to memory of 4392	5100	Ncgkcl32.exe	92
PID 5100 wrote to memory of 4392	5100	Ncgkcl32.exe	92
PID 5100 wrote to memory of 4392	5100	Ncgkcl32.exe	92
PID 4392 wrote to memory of 3912	4392	Nnolfdcn.exe	93
PID 4392 wrote to memory of 3912	4392	Nnolfdcn.exe	93
PID 4392 wrote to memory of 3912	4392	Nnolfdcn.exe	93
PID 3912 wrote to memory of 2404	3912	Ndidbn32.exe	94
PID 3912 wrote to memory of 2404	3912	Ndidbn32.exe	94
PID 3912 wrote to memory of 2404	3912	Ndidbn32.exe	94

C:\Users\Admin\AppData\Local\Temp\53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\53fb07a28423a80236250d2fa00ce40fbd7a39070b39de3bf434fdd0c55d5b0f_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\Kkpnlm32.exe
  C:\Windows\system32\Kkpnlm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\Kmnjhioc.exe
    C:\Windows\system32\Kmnjhioc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Kdhbec32.exe
      C:\Windows\system32\Kdhbec32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        14⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 404
        15⤵
        Program crash
        
        PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2404 -ip 2404
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
1.9MB

MD5
8af0fa032aa89580dc1b88579d7ac456

SHA1
5aabcd3155954d9c023decff09500c4ffd803d18

SHA256
f59f20673b7fc9d5c9b13e99181fc7b4c2ee07b10dafd5b963eb1fced1698a8f

SHA512
92ba0b05e44bfd844008812612e62f41dbdca20c83cc92c4999876b42d4e6b6843ba2d9b735fe1f41bcfc50cd9a96dce2c9349f0d666cb620f9b4ffb394a1b67

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
1.9MB

MD5
fa4be0ba9e3d143acdd569d949fb5d23

SHA1
e516afb43001257e26303dcda9dabad7bc37c906

SHA256
342468a920f0b46a1ec1ae37bfcb734c74981e9f4651e6f9be253729a4784d32

SHA512
11332b48a74e1c88279cb8d9216ce10dbb6e47f3c7e8a48198e8ce99fede5b170a6395538ed257f4976e49398615a5aa74ae043718837c7d3668d276cc347766

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
1.9MB

MD5
d69f9466f73ff4db5fce133a89d00000

SHA1
97dda0182f44ed25cae9605450f0f17b765760f0

SHA256
f0750cd1c6e484b58fdde0b70c9b0e76920084d50ceca488ecfc6de29f5091de

SHA512
66071c304e34e26c5d58807da6a2c95113d211c3c4ca350651f1cb962d79cbd05b14815914e38135bb81a9cf08ab3905f06f170174f7c476eeb40b66028b7a4b

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
1.9MB

MD5
828ca18010b635b14ebf0eba34567ac9

SHA1
300bdadd07aece5efd6d75d2bef9f8d62a7e30d6

SHA256
ba1397691fd60e54de4b3bdfd44c6c6ef392724e634271fb336336979c8316ba

SHA512
3ef7d6a01c367d72d5660f8a3ac7eb0fe6d20077b605fbb49e12fe55bd253f410124c529f13148123989def8020ee9098fbf0c7e8fbd7c1e507e585aaaea9f3c

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
1.9MB

MD5
36e6fc2b9475f68cf9f7af0bfe9ae337

SHA1
8aec9cf225821d1f71eed565c084337dd339dda1

SHA256
6b5d939040e7941457a87f78a3cb5c0c63f6ba7baf899b8d5deb092ac2769733

SHA512
68ef36e97c79e3c10c3dc7c6659ebddc0697c43a8cd27640a2aadb141a8c1dab6f5b62069944b39dce3a2ef3ae73827de937cb479eb3d78a73b9db3e4e6509dd

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
1.9MB

MD5
0687f202d33ad8e3e63eab0a9940fd9b

SHA1
aa3d17801e0b4ad3dbc4491761dd1aa394a1d753

SHA256
79081f3b2c15505fdda1bc2c0f0cbc983a83fbc9df12668b747bfe71d43a70d2

SHA512
3b52bae5fe37e2c38041a7ebae5b8d4e9c0728d12fdb8cbb0c256e416d643d044cf3692a9046f874cee1e6dc93c90a8a3c73749854a4e23918bccda07ebd64a5

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
1.9MB

MD5
d791b48b7ed47024b77537fb7ec45ac9

SHA1
351fd92b11886b20d48d7891a2398103a1b3bb3f

SHA256
92ead273a885319beb63a95acb5e9b8a96092c408dda9b14375f2ab24c197f2a

SHA512
c9b86ad6345990ca163541f8c9f16837fbcc88d4a8ebdcb91d3b576ee338eb798d0f3d09f199ce5da35ac29c2c295e45d4e164a7c8119bf2607e32d1376e2c15

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
1.9MB

MD5
8760599ad102be355d02e00d4dfe9964

SHA1
d0d6c2461a7e450483b58bfee157cc8df117779a

SHA256
577c1b7a29c47f613409dcff616be57aff9b4e082ece2c6058ffc0705f32e6bb

SHA512
461d95e899194de0254c989d0af731834134d3322d3e772a3af8862bfaf1bbbde05104ba35c684a6377ce447921c90ddcf906e85b5913cc3bb4fdbc4a8caabbf

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
1.9MB

MD5
94476940b8d69f388a9545c05ff9271e

SHA1
6527df73bebb5fc5f5c45aedc6afb5505d1352e5

SHA256
2a4912540bc3dd18156dced70236a4a75d641798e48ce1c1eed0586b4bca21c7

SHA512
eb7a8b47ed883f7ea0b80b2526bae9e73e6788bbb1ef3219dcc0314ca637c8423b98fe1a9e23318f95988de28bf7145e372407427cbe6b8defd6fb3d69497922

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
1.9MB

MD5
ccdde187d94352db120a36aea89ce89f

SHA1
f612ce716c9d8d35fe9b0940503347f45f967d4f

SHA256
f096963d1c6af6461b069a4a2210e76cfdb07700500152901fa6b0898c6c4a89

SHA512
a9c73b16f1eb8238336c940a23a6f2157dd451372223e49b669159600ef7292e2553dacdaa3330e1a651c47499d6946b141cf839cd9721d4eded61a958f3f081

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
1.9MB

MD5
863ccef9a1f15a7de071431701822c92

SHA1
07e0f0d48242b2fcf4dc8b43989319cefc90a5ed

SHA256
0a42c1c7458bef7ec4ce5d4d2addb9f3c59d829fb98a548f3bf172e2f2bbeeb5

SHA512
7775880c65f821271ddb155f2aeca27d8e39e49ec062c60bbdc062377e7e8a6f47934e15a72580fa6a3b583b67214aef4173ef808cef9f4bea3bee711334e9e5

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
1.9MB

MD5
5ab7ca0083e58c3ded74578574ab85b7

SHA1
67cbe03967ae640fb74d5f63a9f5f1df39b8f55d

SHA256
bec1869f20773f99bf66df02d6c2deddcc219fa435003a4a38d38fd83917888c

SHA512
bf9aad2c0deaaa24a69fa0a852181473bc41b8a246d1bd0e4cc8796a14b247ac8996b680e41203e18e7cddd251c8de26ebeee47d857d10e0c033c71359fb04c6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
1.9MB

MD5
b21f1413ead365d5587f0d5661a0b749

SHA1
699d6749030ca3c91e4e3f5c226e5caede74c1f0

SHA256
20a47f04b44875130421b18f87c6d2b522e79302e37fd09beb809d4cc511b9cf

SHA512
634fdeb03bc6d3aef627848b214af8efc37688339dc8cba297ca0265f1c5f4ea392e2ef00900672a3df6f15e5dd00c6b89fff9a02a5bc02d0ad7119f8552c438

Download Submit
memory/1644-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3188-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4764-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads