37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Size

768KB
MD5

ae12c9188923db05cf7f6b1d51bc00a0
SHA1

45e732174655f3f6cffc50158516f09b07e1f7fa
SHA256

37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de
SHA512

f7580eb388f4f66adc8d20c4f5a436d293d5086ddbab49dee78cada2c0c8c665ab0fa6da70b218294f9ba0b27f63ec3fef5d8b9ffb9b09d93959fb52724cccbc
SSDEEP

12288:+b9Yvw6IvYvc6IveDVqvQ6IvTPh2kkkkK4kXkkkkkkkkl888888888888888888d:u3q5hPPh2kkkkK4kXkkkkkkkkH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhljdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhljdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcakaipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icmegf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfknbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfpclh32.exe

Executes dropped EXE 9 IoCs

pid	Process
2800	Icmegf32.exe
2712	Jhljdm32.exe
2356	Jfknbe32.exe
2540	Kcakaipc.exe
2520	Lcojjmea.exe
2328	Lfpclh32.exe
580	Mkhofjoj.exe
2792	Mkmhaj32.exe
592	Nlhgoqhh.exe

Loads dropped DLL 18 IoCs

pid	Process
1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
2800	Icmegf32.exe
2800	Icmegf32.exe
2712	Jhljdm32.exe
2712	Jhljdm32.exe
2356	Jfknbe32.exe
2356	Jfknbe32.exe
2540	Kcakaipc.exe
2540	Kcakaipc.exe
2520	Lcojjmea.exe
2520	Lcojjmea.exe
2328	Lfpclh32.exe
2328	Lfpclh32.exe
580	Mkhofjoj.exe
580	Mkhofjoj.exe
2792	Mkmhaj32.exe
2792	Mkmhaj32.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hebpjd32.dll	Jhljdm32.exe
File opened for modification	C:\Windows\SysWOW64\Kcakaipc.exe	Jfknbe32.exe
File created	C:\Windows\SysWOW64\Hnecbc32.dll	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Mkhofjoj.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Icmegf32.exe	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Icmegf32.exe	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Lfpclh32.exe
File opened for modification	C:\Windows\SysWOW64\Lfpclh32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Pledghce.dll	Icmegf32.exe
File created	C:\Windows\SysWOW64\Kcakaipc.exe	Jfknbe32.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Mkhofjoj.exe
File opened for modification	C:\Windows\SysWOW64\Jfknbe32.exe	Jhljdm32.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Lfpclh32.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Jcjbelmp.dll	Jfknbe32.exe
File created	C:\Windows\SysWOW64\Nffjeaid.dll	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Jfknbe32.exe	Jhljdm32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Jhljdm32.exe	Icmegf32.exe
File opened for modification	C:\Windows\SysWOW64\Jhljdm32.exe	Icmegf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhofjoj.exe	Lfpclh32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Jnbfqn32.dll	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Lcojjmea.exe	Kcakaipc.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pledghce.dll"	Icmegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll"	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnecbc32.dll"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Mkhofjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhljdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcakaipc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhljdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebpjd32.dll"	Jhljdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icmegf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfpclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnbfqn32.dll"	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfknbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfknbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll"	Lfpclh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icmegf32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2800	1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2800	1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2800	1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2800	1688	37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe	28
PID 2800 wrote to memory of 2712	2800	Icmegf32.exe	29
PID 2800 wrote to memory of 2712	2800	Icmegf32.exe	29
PID 2800 wrote to memory of 2712	2800	Icmegf32.exe	29
PID 2800 wrote to memory of 2712	2800	Icmegf32.exe	29
PID 2712 wrote to memory of 2356	2712	Jhljdm32.exe	30
PID 2712 wrote to memory of 2356	2712	Jhljdm32.exe	30
PID 2712 wrote to memory of 2356	2712	Jhljdm32.exe	30
PID 2712 wrote to memory of 2356	2712	Jhljdm32.exe	30
PID 2356 wrote to memory of 2540	2356	Jfknbe32.exe	31
PID 2356 wrote to memory of 2540	2356	Jfknbe32.exe	31
PID 2356 wrote to memory of 2540	2356	Jfknbe32.exe	31
PID 2356 wrote to memory of 2540	2356	Jfknbe32.exe	31
PID 2540 wrote to memory of 2520	2540	Kcakaipc.exe	32
PID 2540 wrote to memory of 2520	2540	Kcakaipc.exe	32
PID 2540 wrote to memory of 2520	2540	Kcakaipc.exe	32
PID 2540 wrote to memory of 2520	2540	Kcakaipc.exe	32
PID 2520 wrote to memory of 2328	2520	Lcojjmea.exe	33
PID 2520 wrote to memory of 2328	2520	Lcojjmea.exe	33
PID 2520 wrote to memory of 2328	2520	Lcojjmea.exe	33
PID 2520 wrote to memory of 2328	2520	Lcojjmea.exe	33
PID 2328 wrote to memory of 580	2328	Lfpclh32.exe	34
PID 2328 wrote to memory of 580	2328	Lfpclh32.exe	34
PID 2328 wrote to memory of 580	2328	Lfpclh32.exe	34
PID 2328 wrote to memory of 580	2328	Lfpclh32.exe	34
PID 580 wrote to memory of 2792	580	Mkhofjoj.exe	35
PID 580 wrote to memory of 2792	580	Mkhofjoj.exe	35
PID 580 wrote to memory of 2792	580	Mkhofjoj.exe	35
PID 580 wrote to memory of 2792	580	Mkhofjoj.exe	35
PID 2792 wrote to memory of 592	2792	Mkmhaj32.exe	36
PID 2792 wrote to memory of 592	2792	Mkmhaj32.exe	36
PID 2792 wrote to memory of 592	2792	Mkmhaj32.exe	36
PID 2792 wrote to memory of 592	2792	Mkmhaj32.exe	36

C:\Users\Admin\AppData\Local\Temp\37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37b40c0cdaa8be2151111a812404e815bad5ff2063c088616710e83e733f73de_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Icmegf32.exe
  C:\Windows\system32\Icmegf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\Jhljdm32.exe
    C:\Windows\system32\Jhljdm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Jfknbe32.exe
      C:\Windows\system32\Jfknbe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Lfpclh32.exe
        
        C:\Windows\system32\Lfpclh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        10⤵
        Executes dropped EXE
        
        PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Icmegf32.exe

Filesize
768KB

MD5
f097a340d2f348cd3e50c115b465ac7b

SHA1
43e840c40a0dd409ee61d56095f92c73261944ac

SHA256
c55e3eaeb065892ee16ee6b0e108f3f177ebc0f5142d173e171b1a635757820f

SHA512
568613e50ad9e2f593345221ca9897f95078ea0c6cce40f039f234f16f795df901b06bcde3dfb9fecfd447fb5681b7af7b024abff5a4a508d11ea9b0c9a737a6

Download Submit
C:\Windows\SysWOW64\Jfknbe32.exe

Filesize
768KB

MD5
f1bc7f54c8998c66b596d036eea989d8

SHA1
75910e69bd4752a80dd56f57c4662d18b4f4efb4

SHA256
e5a46851fd5c1feab931eee3b251bd0d2148f68b5785b14560f2c90844d2ed12

SHA512
6894c15522c588154254d18925ff7f41e24b70bfbae06a82a2023c40233245f54096731fb9918a8786d5845e58fcb461f5d8674f2350587dbe1ffc1941b90dfe

Download Submit
C:\Windows\SysWOW64\Jhljdm32.exe

Filesize
768KB

MD5
f188c8349846e5894af8899f653c7b77

SHA1
e052fb9054d0cc44028b0acf24cf9f6ccbbbecb0

SHA256
127b5692f0d539956cf59971b299f7d71615d2a886517c86ef4d8075c2fce83c

SHA512
224df4080aceb2a46a985d443014edad62aada33a92375b2a8ff0e38126c08256c6ad114fa54f29768fb7b257f2b72e1733e54d7a55ed25d49954638c04b3f11

Download Submit
C:\Windows\SysWOW64\Kcakaipc.exe

Filesize
768KB

MD5
a7974cc77284699d3ab13e6666ea952a

SHA1
f85a0b7f117649297d098eb5e12bf09e91d7f48a

SHA256
7c0b8f2f39829921e7cbbef732dc59dd400474dc8bdb22dfffc56572a61bd4fb

SHA512
fc883d4c9c8ddf37019cd0a2e5203fb7413e163c851750e0d622ed16286726ecd674e55b53d546cc408c74bb182d442a8b5c09fa040112f0a91f764cecd1c1ea

Download Submit
C:\Windows\SysWOW64\Lcojjmea.exe

Filesize
768KB

MD5
720f5328475fb8677cea1664117b180f

SHA1
8d735cf098636e6d3aee41f5f923e92615cd57ad

SHA256
a342d7ac41d38391d4978cd404113398eee3d59d70410cf2b0081d32a0bbee7d

SHA512
44de264b8ad5971791c81deeb7733f76644b556ca1f3743605b450c86e072629335118bb2e55004d8a5523a31e5202dac92e812b16ffd8109928be97482e7bf3

Download Submit
C:\Windows\SysWOW64\Lfpclh32.exe

Filesize
768KB

MD5
dbd30d34aef69b5d4af0c7a583a3e0dc

SHA1
498e82cc388fa127d09635affc6a717db5e03004

SHA256
ba9b3a96cdc72a6f9c8673b835db6063e9da750442f41df9899a133441afb43b

SHA512
43a245defddd06e6eed4029fafff7c377fdd0cc47127b9be555196656b15717a662a88fa90b75e80ad3adfa9eab059a2afe172a59bc46c5f32244f055bef99c1

Download Submit
C:\Windows\SysWOW64\Mkhofjoj.exe

Filesize
768KB

MD5
9c46e6222e21839ae89b18b235340056

SHA1
78df8b778de1314419987ba9e9cdd2b6e45e1610

SHA256
761514e1937c8e64b7f27f43f141e94002c672d21930e1ab120ebff70521e221

SHA512
ba86f71e52cb6eb9d2e5c4edc88fb4d8580611cd959dfaf15574a5a2757c9128c47686de576d48eb84c5205adc56bc087fb31d6e6ce821cf1cfaba81fe11bf5c

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
768KB

MD5
7918d15fd916e6b2a5c18984c8f929e7

SHA1
63e6accac0943f23daa33769bdb5c4a177850858

SHA256
72a1a50329d593f75543fc6859d20743784d1689c954c39acfb30b5249672e3e

SHA512
84bfcbec973108f7f9196b98035cd169e519a09365709bffd627cabf0d59e48c4093bc65b98d13a85b1a3faeadf7f3b9c0bb7eaeb3fcc98c3225eb5f4245fda2

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
768KB

MD5
10bd9a5fa6561147cafb8d970c93e898

SHA1
bd590717ef16cbc7d8be7116579bad13756ed1bc

SHA256
2c458431da938fb4f4745c021226e39535936e3f94cbbbf359949cf9ccfe249c

SHA512
fa7317418ad7d8b3d2ba24987fc18ee6c272c9d5e19bdbad7b5440ff66166a26032db1a9ddea72c95da5fe3ba8c5357143415ef709118d493d93124cfb4332a3

Download Submit
memory/580-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/580-109-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/580-110-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/592-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1688-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-92-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/2328-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-54-0x0000000001B80000-0x0000000001BB3000-memory.dmp

Filesize
204KB

Download
memory/2356-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-53-0x0000000001B80000-0x0000000001BB3000-memory.dmp

Filesize
204KB

Download
memory/2520-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-78-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2540-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-64-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2712-35-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2712-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-119-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2792-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-24-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2800-25-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads