2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Size

94KB
MD5

ebd6eed454421f3cec62b7cb71473440
SHA1

42a0988f39f73bde044ae1ac34fd00ec89f0115f
SHA256

2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057
SHA512

5dea314497df42d86a403aeca11097ddf15e9cc8445dc05ab38b40f501ca99ad494b38d38203da0e88037ae37ef53d075ed5a5ef8cb29ceeb669de48c0a92887
SSDEEP

1536:LvokoNWGeHKOoaEFeYqIqhMxKCoas1k85GXUgGq2LHt5MQ262AjCsQ2PCZZrqOlO:zokoleHloZFeHIqh6KCoTirG3HLMQH2O

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe

Executes dropped EXE 15 IoCs

pid	Process
4524	Mjcgohig.exe
3460	Mdiklqhm.exe
3108	Mkbchk32.exe
4260	Mdkhapfj.exe
4332	Mgidml32.exe
228	Mdmegp32.exe
3248	Mkgmcjld.exe
3284	Maaepd32.exe
2088	Mcbahlip.exe
2552	Nqfbaq32.exe
1764	Nklfoi32.exe
1896	Nqiogp32.exe
3640	Ndghmo32.exe
1992	Nbkhfc32.exe
2804	Nkcmohbg.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	2804	WerFault.exe	95

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mjcgohig.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4524	636	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe	81
PID 636 wrote to memory of 4524	636	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe	81
PID 636 wrote to memory of 4524	636	2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe	81
PID 4524 wrote to memory of 3460	4524	Mjcgohig.exe	82
PID 4524 wrote to memory of 3460	4524	Mjcgohig.exe	82
PID 4524 wrote to memory of 3460	4524	Mjcgohig.exe	82
PID 3460 wrote to memory of 3108	3460	Mdiklqhm.exe	83
PID 3460 wrote to memory of 3108	3460	Mdiklqhm.exe	83
PID 3460 wrote to memory of 3108	3460	Mdiklqhm.exe	83
PID 3108 wrote to memory of 4260	3108	Mkbchk32.exe	84
PID 3108 wrote to memory of 4260	3108	Mkbchk32.exe	84
PID 3108 wrote to memory of 4260	3108	Mkbchk32.exe	84
PID 4260 wrote to memory of 4332	4260	Mdkhapfj.exe	85
PID 4260 wrote to memory of 4332	4260	Mdkhapfj.exe	85
PID 4260 wrote to memory of 4332	4260	Mdkhapfj.exe	85
PID 4332 wrote to memory of 228	4332	Mgidml32.exe	86
PID 4332 wrote to memory of 228	4332	Mgidml32.exe	86
PID 4332 wrote to memory of 228	4332	Mgidml32.exe	86
PID 228 wrote to memory of 3248	228	Mdmegp32.exe	87
PID 228 wrote to memory of 3248	228	Mdmegp32.exe	87
PID 228 wrote to memory of 3248	228	Mdmegp32.exe	87
PID 3248 wrote to memory of 3284	3248	Mkgmcjld.exe	88
PID 3248 wrote to memory of 3284	3248	Mkgmcjld.exe	88
PID 3248 wrote to memory of 3284	3248	Mkgmcjld.exe	88
PID 3284 wrote to memory of 2088	3284	Maaepd32.exe	89
PID 3284 wrote to memory of 2088	3284	Maaepd32.exe	89
PID 3284 wrote to memory of 2088	3284	Maaepd32.exe	89
PID 2088 wrote to memory of 2552	2088	Mcbahlip.exe	90
PID 2088 wrote to memory of 2552	2088	Mcbahlip.exe	90
PID 2088 wrote to memory of 2552	2088	Mcbahlip.exe	90
PID 2552 wrote to memory of 1764	2552	Nqfbaq32.exe	91
PID 2552 wrote to memory of 1764	2552	Nqfbaq32.exe	91
PID 2552 wrote to memory of 1764	2552	Nqfbaq32.exe	91
PID 1764 wrote to memory of 1896	1764	Nklfoi32.exe	92
PID 1764 wrote to memory of 1896	1764	Nklfoi32.exe	92
PID 1764 wrote to memory of 1896	1764	Nklfoi32.exe	92
PID 1896 wrote to memory of 3640	1896	Nqiogp32.exe	93
PID 1896 wrote to memory of 3640	1896	Nqiogp32.exe	93
PID 1896 wrote to memory of 3640	1896	Nqiogp32.exe	93
PID 3640 wrote to memory of 1992	3640	Ndghmo32.exe	94
PID 3640 wrote to memory of 1992	3640	Ndghmo32.exe	94
PID 3640 wrote to memory of 1992	3640	Ndghmo32.exe	94
PID 1992 wrote to memory of 2804	1992	Nbkhfc32.exe	95
PID 1992 wrote to memory of 2804	1992	Nbkhfc32.exe	95
PID 1992 wrote to memory of 2804	1992	Nbkhfc32.exe	95

C:\Users\Admin\AppData\Local\Temp\2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a4145e9ec798762bc638f936d77d70483ac9488b2f8109f96526bfdcbef2057_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\Mdiklqhm.exe
    C:\Windows\system32\Mdiklqhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\Mkbchk32.exe
      C:\Windows\system32\Mkbchk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        16⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 400
        17⤵
        Program crash
        
        PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2804 -ip 2804
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
94KB

MD5
16d9e6b318f85c07a296add4eb37da81

SHA1
90b71dee3e387a5e1c23f649ef86035d234ef84a

SHA256
e06bea092f32b768e55c2e08d1ecebdf0ff985da148d42f7f91f74f5335de26c

SHA512
95c0ee41d671f358aca0dec9723c1c89de8e045fb1a1b3d59a6237042e9fbd777ce36e55e65d56c5b279b58c888b290c91a384abd33652310b57dc72cb5491fb

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
94KB

MD5
4bea343451645a760740079a7e0ed797

SHA1
a86d4da7755f5776d656a7a88be78ad44ee9d47e

SHA256
a713d21f9102c54252ba9228dfb1e02a4ca9a4458515d9ffc189d11bf237a5f8

SHA512
f5145d2d674776cd5b0753f3e943fd049df95494c55d1edd6fcccb10d70ea3df1e7bb28a4c689c2fe79ef32ce4b914934dc73b2895ae8a2d923d409627197c6d

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
94KB

MD5
1a8909784f97612eddd20e1fe02ff1cb

SHA1
54e9fce2199907ae3b73383b342c2a48b9ad372d

SHA256
b80f700faea96651e845660dcc8549b9befd73c3f97780de50b87829dc95d011

SHA512
780754889a71ee8fc50887d1c1f8518eb8cacb119419c0c82b8b99a9dc41de050acd10f6866f2e25a1e66a393ed4f4553b0dc9f5a63697b8c7890dedea4dc00e

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
94KB

MD5
0db27c9b2d6a845dde97f56c41fb7ecb

SHA1
6ac7182181a48bf4d6cf0ec47d50b9f1d85ab7f9

SHA256
8e1b9cbd7ed0ed9c11257d1d3b1b85b63cbd1a449ce54df9eaac44cedecfd930

SHA512
d14270ad0d2958ae168d26d2d049aa8b0d94bd018d7f504ca99e4e7aba6774bed570394c4d3e14082f8e2233d00adbe8434479575a14af7349029681ae31a71b

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
94KB

MD5
78f22779024017fc0481f479448631b1

SHA1
ed285dc2a33c916cba59efe3686f1ba3ff60ac71

SHA256
d1032d61d0d6cd28e3b9199b1d0c8f0aca497cc50680e16046d05708f68b546f

SHA512
2c6ba2d215ba32b3cec30340c6074d6a8d9477e5cb52fd8f2c544b3d09d7bbff2d70dcb56cd2d23f2ee67fdcee71393599b1da470a20c082ded41c18111eaeb5

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
94KB

MD5
ee70119d3aba7c00bee46a3114aafb5a

SHA1
897453be76987d154b872782ad212b4161e6874e

SHA256
1ccbdcbf927b6bc5b70cad1be624ceddcbe45108e3a4795fc7fb9de3a8413191

SHA512
9dc1e204661725214e20c421272adf179069180cce0cd9c9adcc201371959670ae854d2677e035949896215ac11e215b40e7c285685d561bcd9d1dca143d0530

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
94KB

MD5
dd7168fc1d0c1303cc03d7b420cba88a

SHA1
668c28d1539f1cf1a0717167ae681697cd9f5a23

SHA256
c8e464cc397ec71896d9c9ca950d67f73cb24358c4f2c795ca04f8c9737e6149

SHA512
4db3831020b7b5915749ce5f62e5a297565cc6e990d21d068d9e10504e808e6524dbdc72cec5e8982ccd2227ba89b6c672c168dc59e54eaac39e291d85d8a01c

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
94KB

MD5
2369082cfc5da645c3cfb3552a4b9346

SHA1
884a5b6823e8aa7a5df29b73ed1f5eb628be638e

SHA256
ba667fb319d43191da4cc08e3c3efed2f6cc7cac4f276b9e1b0057a0e9a3de5f

SHA512
79e42b6e9ef0095f33d41610c43185e1587d0d100313b3db2e472216dedab4a7ccb3f8781a3ba8a6dad52a862224ec45cfb2585348417b4528975073124a8e16

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
94KB

MD5
2de63a77057078718f30874d590d750d

SHA1
b1850a47a3ebe43669d29cea08cda9ea4bc54b0b

SHA256
7df2877c8a1f8876dd5e11d289415bf8e8424d1995de96c49e4c032cc23d649f

SHA512
61c4639f1768ac6e6197c909d4ae57b4a802736cc9de2d98faba59299b5a5887ebb4d6efd02ade233b0c05b62252736b2820a6685e99eb8867632e9a829966d0

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
94KB

MD5
c2318571f0bcff59a5c5a7f9ecf94bd1

SHA1
3b14487e37baf0a4fc5152968de07f54b0f65871

SHA256
0aabdf6c9aeaa127a57d826a554825f7114df21081dbaa34e8d8a56c3c194dc9

SHA512
a3b50749313b86715dc21fbe3adb80188c1099b2229a98dc9088a0a40916031df46012371b41ec4d1e9165fbde0b715e8c869491b590857b121131bc518ec701

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
94KB

MD5
09dfbd77ca42cb2565007e2efe580c21

SHA1
e7caa58ab53aa922f8f0e7049f6b7a5cd63097fd

SHA256
b6a88d0ccd2be943fcc2f5575bc27b911e38a4c81dfec27bf69d3070794dfa7c

SHA512
d0a58502e5c1a2be17ca1af0dc679ae5f7153ba6ebfe53a4534fd7ea6f27f7e63389c23358c7437a7dd168a9f86d1e1592880ef36c35a648e87113f3a5ff5ad4

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
c21bf4563829e91d5a51b288e5983f19

SHA1
943b2a1bb4218ce90f8fbb6ca204c819ab82fce3

SHA256
8911e5963aa9b8a84a7d8f8116420dd2349934cc74601fe9879b23bede3a2b2d

SHA512
6e4c482b9db94de73465d7e6e9e3e198fb2230b95a973618a28a08402196d8583a2ae1ab4256b078a388ffa31766b6954418d024921a38f294d762c6fa665c67

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
94KB

MD5
09aff7a1f1c0a226149938e5d9df8b53

SHA1
7801a3af1d66a85934d629102b6c0264571f2eca

SHA256
f701cd7392b5ff534ba4df2a040d085fb0f603cb4b3b6fe9357b58384e3e6ad6

SHA512
cce611dd99c972cad3af969e121c99a35aa7be2d5f9060c760a01ad362810729e37c20f08bfcaa935730468f6a55ee1d917eb5c5ac5b8b6c6df9eb18c5bc47fd

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
94KB

MD5
8fe040516cd962b0e5e1626d954e7cd5

SHA1
fcd306c23ee3d73d630b7151f59b689583fa483f

SHA256
d51573300fe20199ff73497519d8fc848052d48b982cd26c25a4e71e3751e3e3

SHA512
26e63880c2f7bf5b2b8ea88fc010a8e805f99480d67181faef8ed37f3e3a5116f4a868751acfcfa04eeb35a24b659b11ba3fcd9c16e9896b9cd271880e3be958

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
94KB

MD5
f935af5f30b185d7cdd67fb377b7fd96

SHA1
02114e2bfbe273b62bd5415b3d6cfa7e9e475f89

SHA256
39c59626a9e254993d7df51d93e75834fea282877600646816d4ebb8e947b0b7

SHA512
d16230c1fd8e35d3f6e33dbd3a3b04b044e395b066bba615991b6cc50f9e0d6d8a1982a3bf8a758571b242e47d16cf68d637904b96a03481dadd6597ae95f26d

Download Submit
memory/228-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1764-131-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1764-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1896-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1992-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2552-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-127-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3108-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3248-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3248-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3284-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4260-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads