13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Size

169KB
MD5

0c3a9ef73f03ba076ca911086d6ca3b0
SHA1

4bfcc1e7b2b6453b6c58d66a4b31dee0db7c09e7
SHA256

13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484
SHA512

0e047a54946f8a68fedd870501b03f91d13228aafd9e370d30acf5e7e4e647bfccc46012b46f31b04d53e27a58afd98dfd4cfafa3310dd435d081d7703d51250
SSDEEP

3072:/t/Cb+0ZSvPxMeEvPOdgujv6NLPfFFrKP92f65Ha:/lR0ZSvJML3OdgawrFZKPf9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe

Executes dropped EXE 12 IoCs

pid	Process
932	Mdpalp32.exe
1660	Njljefql.exe
5040	Nacbfdao.exe
2360	Ngpjnkpf.exe
4384	Nnjbke32.exe
2460	Nqiogp32.exe
376	Ngcgcjnc.exe
4300	Nnmopdep.exe
3968	Nqklmpdd.exe
4760	Ngedij32.exe
2280	Ndidbn32.exe
2420	Nkcmohbg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5108	2420	WerFault.exe	91

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 932	2544	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe	80
PID 2544 wrote to memory of 932	2544	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe	80
PID 2544 wrote to memory of 932	2544	13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe	80
PID 932 wrote to memory of 1660	932	Mdpalp32.exe	81
PID 932 wrote to memory of 1660	932	Mdpalp32.exe	81
PID 932 wrote to memory of 1660	932	Mdpalp32.exe	81
PID 1660 wrote to memory of 5040	1660	Njljefql.exe	82
PID 1660 wrote to memory of 5040	1660	Njljefql.exe	82
PID 1660 wrote to memory of 5040	1660	Njljefql.exe	82
PID 5040 wrote to memory of 2360	5040	Nacbfdao.exe	83
PID 5040 wrote to memory of 2360	5040	Nacbfdao.exe	83
PID 5040 wrote to memory of 2360	5040	Nacbfdao.exe	83
PID 2360 wrote to memory of 4384	2360	Ngpjnkpf.exe	84
PID 2360 wrote to memory of 4384	2360	Ngpjnkpf.exe	84
PID 2360 wrote to memory of 4384	2360	Ngpjnkpf.exe	84
PID 4384 wrote to memory of 2460	4384	Nnjbke32.exe	85
PID 4384 wrote to memory of 2460	4384	Nnjbke32.exe	85
PID 4384 wrote to memory of 2460	4384	Nnjbke32.exe	85
PID 2460 wrote to memory of 376	2460	Nqiogp32.exe	86
PID 2460 wrote to memory of 376	2460	Nqiogp32.exe	86
PID 2460 wrote to memory of 376	2460	Nqiogp32.exe	86
PID 376 wrote to memory of 4300	376	Ngcgcjnc.exe	87
PID 376 wrote to memory of 4300	376	Ngcgcjnc.exe	87
PID 376 wrote to memory of 4300	376	Ngcgcjnc.exe	87
PID 4300 wrote to memory of 3968	4300	Nnmopdep.exe	88
PID 4300 wrote to memory of 3968	4300	Nnmopdep.exe	88
PID 4300 wrote to memory of 3968	4300	Nnmopdep.exe	88
PID 3968 wrote to memory of 4760	3968	Nqklmpdd.exe	89
PID 3968 wrote to memory of 4760	3968	Nqklmpdd.exe	89
PID 3968 wrote to memory of 4760	3968	Nqklmpdd.exe	89
PID 4760 wrote to memory of 2280	4760	Ngedij32.exe	90
PID 4760 wrote to memory of 2280	4760	Ngedij32.exe	90
PID 4760 wrote to memory of 2280	4760	Ngedij32.exe	90
PID 2280 wrote to memory of 2420	2280	Ndidbn32.exe	91
PID 2280 wrote to memory of 2420	2280	Ndidbn32.exe	91
PID 2280 wrote to memory of 2420	2280	Ndidbn32.exe	91

C:\Users\Admin\AppData\Local\Temp\13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\13202ded5eb34d5ab5ea0e87ce2022ace8e2059d824e847e317434b2feb16484_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\Mdpalp32.exe
  C:\Windows\system32\Mdpalp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\Njljefql.exe
    C:\Windows\system32\Njljefql.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\Nacbfdao.exe
      C:\Windows\system32\Nacbfdao.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        13⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 412
        14⤵
        Program crash
        
        PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2420 -ip 2420
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kmalco32.dll

Filesize
7KB

MD5
ecf9e925b6f6599d60eb1fd27b6c0a04

SHA1
0ec2218689d8277ede6a2a5d9bfd7f02ce3c2a2f

SHA256
7dbe6dfb50f0bb60ab415bacae544ac81a4e14c67ce4c6e9cf9a7becdb9f87c8

SHA512
5af8e1d429a7cfd7f6d14f8be500d6a3d70df4f6aecb58dcec48909106c18b1866974b14897300e884c5c959a5f78b9045896adc7aa74b2dd8fc541ad95d7d31

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
169KB

MD5
53b0d723708dd5bf4ba3664fa146b705

SHA1
cc5ae1d3b07367c376de0ae4af927b27b6809e32

SHA256
643b0d53248d2e87d9ee57cd7481e0ad2be3c18b96f933fcfbf4a62348ec4c4f

SHA512
27cac662d6d7e25e2875214368495e6510b9e41481b66de6aef3a2c4f106ceb4f9e86cf358c7ae2c13bd55b2a37f89ed8cf7ec41dec2f828eafda2b22ff8bbb6

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
169KB

MD5
ce7fe2719450a5bfcdc3bbf6aba290ab

SHA1
78affc4feb918d2d6e353934dc2cd8c8fe277ac7

SHA256
aa3a53666bdb7ff1c9f585ad150e48c575cd95efca667176873d9362f5074610

SHA512
30e6dada4bd8ac676e704cbf80953a738cdfcf021a2728760323a6c177f0303043414ee3288b3a53875cbfa15a4b59bf69ba0d86d3130367359a62234af47446

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
169KB

MD5
133fcf47f535dda2648ee7620b6544f1

SHA1
a1c05f969b877144aec9a978ccdd3ab062d942c6

SHA256
88854ba008d9006f10eced3f802126f343f9702e8dd3481e995b6790b2ce71d7

SHA512
e61a7b6fed0e5c4f9f14671ffa3582ddf1c06a6270246af478400b2aa740b5208b2f4534154fdef25a0b65d33bc6967bf68656a048cc39165d791bd0674ce5f0

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
169KB

MD5
e81fee675339a30cd045ee0da0b0ac12

SHA1
82317cb0148ebf45e4f6d92a69b2b2e7ac218845

SHA256
348e0fed63d2c378b64e48d7f11738b8b5070c1ffb36b8020e2558b137aae697

SHA512
a2eae999cd0e3ab7b2e7bf6edb9f21edee12a7a3c850bfdcf589a5dba5f83e75b4bab6d4d53773d792681bae5922ab3497417328586c9326e67f4f3ad94520ad

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
169KB

MD5
2b359aa00a84b112caf172678f68339e

SHA1
ed66c4ec6405fa3f8dc6b5ab60d7e1e82bd12636

SHA256
522fef1150a8cb26eebffc5365b0444efa6338f3139ea733ed2a290986dd10f7

SHA512
c74decccddad0681735e5eabc8515062d0a5a79717d63fc6738a1ce7db3bd7d0defa733d968d3a06be3c81c3f7edd29e4bacca0c9b79990ef4352a8e99336136

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
169KB

MD5
7f0d72eafaca5c8842738d5aecf59862

SHA1
c47c6b65881215ef3caee84f3457ded186bdb878

SHA256
15600b9ef3935e1f327b1ca52d53bef528c09d6f85fd399129bbc985d2f0c7c3

SHA512
64a211351519cf24fed3c6b3f6d3658cd15d4bddf683283ed6cb3281021cf777786cf020ac4bd3400a181cd98301156b95c5fdfb78b8a9141448461afcb34335

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
169KB

MD5
a1026a7ed430da5baa479901f568a7ed

SHA1
aa98bd8fe13a2878aef6a41a5a9c62e87e5d89d8

SHA256
8f65d10f9be1616da43f2f91790b90bf81e2aaedd972299f4a0c899a3b344931

SHA512
259933813f7157c4716c128fff9c2ed2bbd3bc48d95e8e5539955781517910af16f44e4f8449e6e7861d5a1da9f36216b309bf3924aafcd4e1a39720360f1967

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
dd15ebde1cf177857e42fcff6f5cd36b

SHA1
3ad9fd51bed99911b29f385bf5e8c668bb1d7fc2

SHA256
5f35e919c1778f1d1b7c09c1fc7812aa404d6189beb95df72c660a1fb70e8dc7

SHA512
1ef30e3cb12de9390f60f7c6eaffc5880419ee516deb1443f7c2221fa48b937cf11c40baf60c88dfa3c0295820fff736105d7e07aeb5b7d064f502ff42e0be61

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
169KB

MD5
28b3faa00d8b3f9e128331f78269a277

SHA1
68702b033e0a680d4a745663430a5a8e798f1af1

SHA256
6046a3f131e8f39fe9bab54437493e78f14fd1b67ad9a19c3b1fa7d58852be84

SHA512
725de118eaed7b3657b7e4dda3a57cecd4aadd3e116a53ee2b45403a9f8aa6e4b87f15023228417ee8d4f37dfb372154fb938db60f81cff6440cc1f18edca81e

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
169KB

MD5
955a23f4d3a92dff4074ad5c614926cb

SHA1
cc6310e1da8a40dffc7840b7e0eb4950d130064d

SHA256
6b887b830d995d08a7a4255cb4385792cf0f89cca4340afcb07e1c00a7c42e27

SHA512
33034110293313eddab5c3998c3c42b67dc63d8999de5b576e7f97c7172c25d2f86a2da9fc919f47a7acb07cfb8d1f930e3e8a071dd67d631517386007de7dcd

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
169KB

MD5
2c7900175a79feac54567b986150e0f5

SHA1
45c67e6b0522c7784cc1804486df8a02e6bdd762

SHA256
35c1908927b641e589e611e53624a30549cd89a3058f8e94520746c2d72108f7

SHA512
4186a7816cf6f685c30fbaf557f1ed02bef19a5b4d6ebf421f870c6074c94e899d3f99da574a30c3e2811c7c833c133a30673bda1047484274db92ab5e5e47fa

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
169KB

MD5
8d6568b9340f5b0aa4371368774cc3ae

SHA1
e083de2a918969e344210d460498d3479bc392b4

SHA256
d9ddacd792c01e6fbd71860575716c20a9b9def82b7093700f1659f10b0e5d72

SHA512
507ac8e6327120666e68cf111b270c315671de0a1abfd80b0ec4fe3c9942adfe920ad581b098510edbe981fbb80e93bf632f81d99b6282596f8eccfb6dfc3524

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
169KB

MD5
391bf4f70929384c4470a402f9d301e7

SHA1
1af5acd9f927622464252c542c5b51729a2a4132

SHA256
5cca531e507a129db717d15bd06cfb4680f3d6d5802aa5e2b4cc4ea734299110

SHA512
f3783d805152b98d35967279be594d958a7bd1bb4df7738981411b460e894b4da786efcf7991c3ffb7dc05bfbf271fc648ba1f2af4a0f48c7519f013adf87a1d

Download Submit
memory/376-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/376-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/932-89-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/932-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1660-98-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1660-20-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2280-101-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2280-90-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-107-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2360-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2420-99-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2420-100-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2460-105-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2460-47-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2544-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2544-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3968-76-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4300-103-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4384-106-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4384-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4760-102-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4760-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5040-108-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5040-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads