1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f

Analysis

max time kernel
138s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Size

361KB
MD5

a1877982de3e9e62ef774b0ebc9f3240
SHA1

591cc7a3a84becc7fb2efec52303031b0edc76df
SHA256

1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f
SHA512

c4eb47bfe5c2442ce7b12969b606b8350d4cee5885a65c7ceee662dcb39a9fdc83ff8d75cfb07b2cdcaf89b892872fcfb3789f385b805806ca19328e0700c917
SSDEEP

6144:8K+Vlp5sVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:8K+/Mw/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe

Executes dropped EXE 10 IoCs

pid	Process
3376	Mdiklqhm.exe
4280	Mnapdf32.exe
208	Maohkd32.exe
4980	Mdmegp32.exe
4740	Maaepd32.exe
460	Nkjjij32.exe
3612	Nafokcol.exe
4492	Nddkgonp.exe
4564	Nnolfdcn.exe
392	Nkcmohbg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3244	392	WerFault.exe	94

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3376	3140	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe	83
PID 3140 wrote to memory of 3376	3140	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe	83
PID 3140 wrote to memory of 3376	3140	1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe	83
PID 3376 wrote to memory of 4280	3376	Mdiklqhm.exe	84
PID 3376 wrote to memory of 4280	3376	Mdiklqhm.exe	84
PID 3376 wrote to memory of 4280	3376	Mdiklqhm.exe	84
PID 4280 wrote to memory of 208	4280	Mnapdf32.exe	85
PID 4280 wrote to memory of 208	4280	Mnapdf32.exe	85
PID 4280 wrote to memory of 208	4280	Mnapdf32.exe	85
PID 208 wrote to memory of 4980	208	Maohkd32.exe	86
PID 208 wrote to memory of 4980	208	Maohkd32.exe	86
PID 208 wrote to memory of 4980	208	Maohkd32.exe	86
PID 4980 wrote to memory of 4740	4980	Mdmegp32.exe	88
PID 4980 wrote to memory of 4740	4980	Mdmegp32.exe	88
PID 4980 wrote to memory of 4740	4980	Mdmegp32.exe	88
PID 4740 wrote to memory of 460	4740	Maaepd32.exe	89
PID 4740 wrote to memory of 460	4740	Maaepd32.exe	89
PID 4740 wrote to memory of 460	4740	Maaepd32.exe	89
PID 460 wrote to memory of 3612	460	Nkjjij32.exe	91
PID 460 wrote to memory of 3612	460	Nkjjij32.exe	91
PID 460 wrote to memory of 3612	460	Nkjjij32.exe	91
PID 3612 wrote to memory of 4492	3612	Nafokcol.exe	92
PID 3612 wrote to memory of 4492	3612	Nafokcol.exe	92
PID 3612 wrote to memory of 4492	3612	Nafokcol.exe	92
PID 4492 wrote to memory of 4564	4492	Nddkgonp.exe	93
PID 4492 wrote to memory of 4564	4492	Nddkgonp.exe	93
PID 4492 wrote to memory of 4564	4492	Nddkgonp.exe	93
PID 4564 wrote to memory of 392	4564	Nnolfdcn.exe	94
PID 4564 wrote to memory of 392	4564	Nnolfdcn.exe	94
PID 4564 wrote to memory of 392	4564	Nnolfdcn.exe	94

C:\Users\Admin\AppData\Local\Temp\1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b1e8a6fed25dbf58003a010645c2d8e866ea0d3a19bb88827229e72a8df0c1f_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\SysWOW64\Mdiklqhm.exe
  C:\Windows\system32\Mdiklqhm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\Mnapdf32.exe
    C:\Windows\system32\Mnapdf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\SysWOW64\Maohkd32.exe
      C:\Windows\system32\Maohkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        11⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 400
        12⤵
        Program crash
        
        PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 392 -ip 392
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
361KB

MD5
8590e4abd23a43fc08639a7d2b6bfdc8

SHA1
326a1a85c48ac04e77ce708bc0221a1cef55b4e2

SHA256
5f10f266c16acac8b87653411434ced5d77b6a8810a76c6c292830566f09191a

SHA512
0cbb6ea5c73e3abd2130e45aa8e522de6ba1cc25b57c0f134f227e03a784ed10c26ec32af1f8d27368c11e920ae7c40f35f072f54a9037e6b11ea4cabb336cdb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
361KB

MD5
ada8a509bdd35b8bbff8c3b6db374d33

SHA1
56b55626a91a6a443653e1693217d25921c94ad4

SHA256
acf70d4745e6eacbbb3cf3a1ef4224941d36c5849c36b68fb4dc5767e722190a

SHA512
b9efd20bead5de955a3831e014559b4c8f883f534c2558b3c9148ddb366895c7497da3af0dc49de40b678ae8796a7a2f05affb7affcf9574682529eab31367de

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
361KB

MD5
877c772296f902b5f830c8379029a866

SHA1
a8778ce9a078405817de66739cb7fe895d3f08d2

SHA256
ed5ff7a8ea1aeec923179dbd78b82e98d5b596312d6d40e88700aa31db91dd93

SHA512
5eb900ebff7aa8b9714a2ed4c349dca240d89838181fc6bd256ab40427a7ca4d891d7c73aeb75bbd5fd11f9332b985e9a415d16e28e24c3dd6693659b7cdbf2c

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
361KB

MD5
878cffb739806f2ac2b89a78ce2eb4c6

SHA1
bbe8e33e6503a348bf9a17cf417a09e88c864f31

SHA256
07d111821d4c94fe5260f2c0c4caea78a7fba51c36a0e30c5278de686d161b06

SHA512
0848346ec3c0c13e512ca62acea712df253f21e1b2a3ac9dfb5400df769cdf3a27330cc0cc3dee7a29d31650ef4aa460e3a482039ec9ac606bbd2b2f90ff8994

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
361KB

MD5
ca0327c067c52db2f205c2da0f945efc

SHA1
404c06a8f1abdb876acd7827cb47991664f15263

SHA256
4a6a57d6f6d8a87582fcdcdb8b35d0a547b376142655187fb9a2e32a545836ba

SHA512
910d79e618c1581661657d210cb5fa849dab4a142b93234d77571a8be8b3420863096cac050d842f18dcde40dddd42025e0bd85897243e069bacb74b394b6aa4

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
361KB

MD5
d4d3378e806e173650b02512c2addc70

SHA1
1fc2d1d170656dca8f95b6c731f4c0fbfe865b85

SHA256
86021752946b3373193c1c1d5c25643b41db3750f1e6f2fc869f8fd0c51820f6

SHA512
5c00fd9d5ce4e44a1c791c6e436c5cd08a13ddc23758bad9ac40a475bca9ffe5da2d7f64f5108e30a432c481e4bb8ecf4130eb5b156e827edbb1873cfb64986d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
361KB

MD5
98684bad74b0c8f519a62bbe2628fa64

SHA1
5aa95539d5964682068062f1efe6091568a9f565

SHA256
104402c30d12c5d82dfa9ade765398a8de9ead63efc6a79a4515039467c64d67

SHA512
6754ab000b0245c9ff457ec099cb660bbf2156898d25cc9b7193a4d9beea614ec6d06c6c15825c73476153224a9c160d276d5f874aa5bea3cfe4195ce30652f7

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
361KB

MD5
74e4614257f99ed5edf158e4007f1a1e

SHA1
e18f1ba9d3d85a6606f7596c0c42f51dfc8c0572

SHA256
47351a337658b3f6088423505a383c7493c30d7e9068f54c6702ffe517fa72d3

SHA512
dfe86e9695efaaa1c217e1117acc55edb27cf76725972111dd03ae4d27f258c4a37ff76cd539db9df672f55caa7568d42247df2dd3078bb4932d6ead08b2e096

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
361KB

MD5
332ecdb64c9adf8e10e63768bd83a68d

SHA1
54de71389d4eff75d3391735d3364b340a0f7276

SHA256
0768c52770d074cc88309beb5480bbd47cdc3b13f8d66bb5d0026b4ecf69a1aa

SHA512
1ad1e302983f8078ee5151dd58de54c6d20b65edf2dc9ae29b97b1dfe045a001de473e5f03de3ff1a7df2f3d8507d04c42ba50f211047f6e120b7a0e8f0d4465

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
361KB

MD5
caad52c00daaa8e14ff4ee15bd20718b

SHA1
5c75532c970a1c906e294f16c352714257f58e69

SHA256
2ee57b6974a94f85448b0ab846087ca89da25dbabc79821b2d1ab9e6b87dac6b

SHA512
54eceb8aabd8f2d72fb617b00c9c84b40c6654ddde63ea3d19edec6e336f237be95a33b918efa343c387f57c4f9b6b9612b0e0e05ce712cec2982f6c4e9dc354

Download Submit
memory/208-97-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/208-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/392-82-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/392-84-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/392-80-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/460-91-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/460-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3140-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3140-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3140-103-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3376-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3376-101-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3612-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3612-86-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3612-88-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4280-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4280-99-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4492-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4492-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4564-85-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4564-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4740-45-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4740-93-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4980-95-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4980-37-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads