b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Size

96KB
MD5

13b418855aed517fd502580c752ffdf0
SHA1

81ddb174063bfb22a43b745c6ceed75e6187d5c4
SHA256

b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9
SHA512

c3b235c7c588892036594f4060fe9a4adc8710f348dc0f78da27b991d1946776410099e9f068343b9504030ffe2e75c2de25e247796a19d622c9bfdf2c5ec586
SSDEEP

1536:+G/CfdbORrwTUZtXQCmk2L3ZS/FCb4noaJSNzJO/:JCUtXQCm93ZSs4noakXO/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe

Executes dropped EXE 13 IoCs

pid	Process
228	Mjjmog32.exe
4504	Mpdelajl.exe
4896	Mcbahlip.exe
1312	Nacbfdao.exe
3504	Ndbnboqb.exe
644	Njogjfoj.exe
4928	Nddkgonp.exe
2380	Nnmopdep.exe
2000	Nqklmpdd.exe
412	Nkqpjidj.exe
5012	Nnolfdcn.exe
516	Ndidbn32.exe
4828	Nkcmohbg.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nddkgonp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
820	4828	WerFault.exe	95

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 228	212	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe	83
PID 212 wrote to memory of 228	212	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe	83
PID 212 wrote to memory of 228	212	b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe	83
PID 228 wrote to memory of 4504	228	Mjjmog32.exe	84
PID 228 wrote to memory of 4504	228	Mjjmog32.exe	84
PID 228 wrote to memory of 4504	228	Mjjmog32.exe	84
PID 4504 wrote to memory of 4896	4504	Mpdelajl.exe	85
PID 4504 wrote to memory of 4896	4504	Mpdelajl.exe	85
PID 4504 wrote to memory of 4896	4504	Mpdelajl.exe	85
PID 4896 wrote to memory of 1312	4896	Mcbahlip.exe	86
PID 4896 wrote to memory of 1312	4896	Mcbahlip.exe	86
PID 4896 wrote to memory of 1312	4896	Mcbahlip.exe	86
PID 1312 wrote to memory of 3504	1312	Nacbfdao.exe	87
PID 1312 wrote to memory of 3504	1312	Nacbfdao.exe	87
PID 1312 wrote to memory of 3504	1312	Nacbfdao.exe	87
PID 3504 wrote to memory of 644	3504	Ndbnboqb.exe	88
PID 3504 wrote to memory of 644	3504	Ndbnboqb.exe	88
PID 3504 wrote to memory of 644	3504	Ndbnboqb.exe	88
PID 644 wrote to memory of 4928	644	Njogjfoj.exe	89
PID 644 wrote to memory of 4928	644	Njogjfoj.exe	89
PID 644 wrote to memory of 4928	644	Njogjfoj.exe	89
PID 4928 wrote to memory of 2380	4928	Nddkgonp.exe	90
PID 4928 wrote to memory of 2380	4928	Nddkgonp.exe	90
PID 4928 wrote to memory of 2380	4928	Nddkgonp.exe	90
PID 2380 wrote to memory of 2000	2380	Nnmopdep.exe	91
PID 2380 wrote to memory of 2000	2380	Nnmopdep.exe	91
PID 2380 wrote to memory of 2000	2380	Nnmopdep.exe	91
PID 2000 wrote to memory of 412	2000	Nqklmpdd.exe	92
PID 2000 wrote to memory of 412	2000	Nqklmpdd.exe	92
PID 2000 wrote to memory of 412	2000	Nqklmpdd.exe	92
PID 412 wrote to memory of 5012	412	Nkqpjidj.exe	93
PID 412 wrote to memory of 5012	412	Nkqpjidj.exe	93
PID 412 wrote to memory of 5012	412	Nkqpjidj.exe	93
PID 5012 wrote to memory of 516	5012	Nnolfdcn.exe	94
PID 5012 wrote to memory of 516	5012	Nnolfdcn.exe	94
PID 5012 wrote to memory of 516	5012	Nnolfdcn.exe	94
PID 516 wrote to memory of 4828	516	Ndidbn32.exe	95
PID 516 wrote to memory of 4828	516	Ndidbn32.exe	95
PID 516 wrote to memory of 4828	516	Ndidbn32.exe	95

C:\Users\Admin\AppData\Local\Temp\b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7063910e57a24b9a8011818822f521399dbcbb653db337174e213e613ca5fe9_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\Mjjmog32.exe
  C:\Windows\system32\Mjjmog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\Mpdelajl.exe
    C:\Windows\system32\Mpdelajl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\SysWOW64\Mcbahlip.exe
      C:\Windows\system32\Mcbahlip.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        14⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 400
        15⤵
        Program crash
        
        PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 4828
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
96KB

MD5
c0fd1a95852335801a0dc254a4f91b6a

SHA1
072570afb26ace512adb933495ac77cb47253c3f

SHA256
75da284e16520ebf6ed99386f46af8966662e94b243da9ef1d24e3149fa9d6a6

SHA512
f60fde712e3ec25b17a4c090d4c910b8904cf388918f8f41814c17e62e10520c9bf3d3f8061000974b7a7a1ff09f0d5d547273fc2d5d744f6e41b008a51ac209

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
96KB

MD5
9da844527ec2a7871300d1d5a5dcf16a

SHA1
97bcb0c6a73fc30f71e2fa1700c4cc0dda8fcbad

SHA256
b27f5c55308ca43dd690c2d1d824d2f56a5588219a58ffd8cdbfd5ab48171be5

SHA512
e17ec4708111c1c9cde8967f174ce64465d8ff12dd85e0e86c68e4df991bf313caa743badc0ffd48b992e83640a2968f82c4ee3d56693313e53c9a5b2d2f2080

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
96KB

MD5
ada9f2469069a368b4578285a27f18a8

SHA1
49a37e2ffdb80467b6677762688a21c8e7cbb290

SHA256
51799f5a19b7c4f9f5474b2b8fdbaa4767de2a8eecbc9c96fd020cf2012bc1f2

SHA512
3919b82a5850a403b71617a1a8b72e7e098082a628e77b7bdb8c049611dd48d5ffdf1fc760331a2e6576f58da07ec9ce552fcb7fce1922d5217b3bb29d7be4f6

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
96KB

MD5
db5ccb8a4ed5545d2e80535e3945e277

SHA1
8a810405ebc8443587ecbc4a3468abb3a1dc3789

SHA256
189c2003f046bbf515a042e2d12628657dd4c9423922950f9ee927ec76f87fc2

SHA512
903aea896690e1c9017429c493e833c78a7b55ae7b43097c7b4989a8bec191da2bcd78272f417f063cd080925d3f07512a0971c0109146a6b129ae4f55cf0100

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
96KB

MD5
0e566309f6b42391fe4e923061e96f23

SHA1
99b86508dbf55af67ffd34f1127b261af8ac3224

SHA256
17f8d617515e36cd0cfc466a31bee9aa39cf1367e23fb268582cf130112cd55c

SHA512
2e1c34476b9435aa4f6d32ef7c777b3ac36e74fdfc6274f473cd73f1226952be8724e8132aed1d27feae3442dbbdf8dda338f2eb777c87d352bf0e7cf9cb68b0

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
96KB

MD5
1becdaeab523ebef897bf1bf36212860

SHA1
d51034397d8e4b1a0306959d6e665880bb309e55

SHA256
f232e3b57dd8cfbd7611165329f48ee9de1fed554f710f44fe92407885cc5a29

SHA512
6e093c9f7b130bb967ce4cac23c5004cbc23fe8cff5d083cd1ac0dc34b5dc71ecaeed2ab8fcbda16cc5a1a69af3440c5e90dfaface62457b45ceaeb187fec6ba

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
96KB

MD5
14acb8bcbbc99d70548c9b09d85772c6

SHA1
6ab32e4e2e41d25f4ae313e8eb408dc585443b60

SHA256
f1ee98a2499eacc273cbbbcda5d20d39ba252c6af57df69359cc9f8921f5da24

SHA512
9edad19d7b4ab6d96b93c22644163a8736d430989b4b3155ad0ac2615734a4f237f9802478a7f96758487fc378088bc961a164ce63ad19cf381da833e8654681

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
96KB

MD5
408e3cdc75a36da3d9eb2d4b509c3311

SHA1
7434c1feb010ec5de613101b7fe5c209c64cbacc

SHA256
16f8d6df6c916f95ce4f12e06c4bf1b2152f4d4615058e641c6cd1402ea4c0f4

SHA512
9e2a120689135c9f057ab8108d51fe2c53a2700c5dde7058d3c5faba931c817ed7ffe510cd3afa153612ada13f93fcf519d0927d620fabae65cd781bab27b2d6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
96KB

MD5
3c04b295eb4a2bdc08995b102a198c06

SHA1
8c144978404febe9822cc1746ac68d5cd54b8d5c

SHA256
9ef87e277af9e3a65978398ec30b434855b7229b4e8cb79390cf48069b1a3d14

SHA512
e780ce05025801a41c21e1c572a5a0db25476044ee2c409a8f6880bb5d441efb1c79a5e759aa58e5c38d4f48422375d43f3e5c710e3e355e2ced8154f86b7517

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
96KB

MD5
cf1f1d8d94a88e317809ce4120688733

SHA1
ab6f2114580e63e07c24549007aa275c9c2f666b

SHA256
f187f07d56b032913f0c6c1a068c405a04a6e41e3b4b4a58b59e4996c6815faa

SHA512
017a93e10bc9f2fbd1625f74955df405054a3ce2b4311db93b44128547bc8df4b4b4189a80be81c5c2402848fb36ba11f991a15464d2a0407de122a19e015b28

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
96KB

MD5
593fa66c5b3bbf8409dd11a5fead73b0

SHA1
89d37120a93f9310d78536635b824d2fc93bab56

SHA256
a5d53cb96a76a000597f6203140fd1ab5a42332a5bae2085a45f635943a85d71

SHA512
83919c9875853acd2671c0f3a071e39a0e780ee9fe16070dac8c0a1646b5169c61cb67140247c06d6f11f09ed42441151509d10eaaf0366a0e6771ccf433612a

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
96KB

MD5
8420a3eb8f3e6d48b30e9c53eed02cff

SHA1
3b6ed2346454488239d11d57db62f3eeac2d6c13

SHA256
b0c931f5b1a7f5c26fc827b6ba8af2ffe2ee7d4f02668756761c40ed14701bc4

SHA512
610f20d5be1c0f173bff65b2034a6190b10a98f3223c16a50941a262087f62f072b0768fafe7ef787c759d34fe488fb0e87c92418dacbeb13ad79a22082aa136

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
96KB

MD5
1770019e3e54f8e0d342ec9c6eab6c92

SHA1
ab69cf99488174431eb49193d3f5991a99847c19

SHA256
f3324fe92a6c830b80904eca41513c25080b02dbc485b23cae1bc3a78ea7a243

SHA512
93cb2edd71388238eb9ea35e2cd7a556d4b099f790bd7c573d8529f38f58d9297a359d027a993384dfc539d627c98a3f2f710f5f1864b03c32472d02d4c2ed76

Download Submit
memory/212-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/212-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads