17a1f0990f681b8d5ed75a146915419cc749388f0210f18ea60391a1745c4bd6

Analysis

max time kernel
21s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
Size

132KB
MD5

5dbf7a3d105b704002ee3c7720ab54c0
SHA1

3f2fe8a0ad29694fa5b41feb8282da6d73776d1a
SHA256

17a1f0990f681b8d5ed75a146915419cc749388f0210f18ea60391a1745c4bd6
SHA512

a57c7135f2dddb0ac28e8f0c8032d71e27c3aa73f7a34ae80ea9612360ddfcc86d03fa486575a73694ca9eccee154b2f134dd291acfdde75a508290b2967d178
SSDEEP

1536:7FAKp6qj6E09L6KWHheM8uFNzAhH02jpX00cPG306sgXtlO3mnXQ3:7Hp6s6E08XBEEND2x0Q06sgO2A3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xoadoh.exe

Executes dropped EXE 1 IoCs

pid	Process
1884	xoadoh.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /q"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /g"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /h"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /h"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /p"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /g"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /m"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /v"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /j"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /s"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /x"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /y"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /x"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /a"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /v"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /n"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /b"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /z"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /k"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /c"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /l"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /w"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /s"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /p"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /b"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /r"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /k"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /l"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /e"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /j"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /q"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /n"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /y"	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /w"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /m"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /c"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /y"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /t"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /i"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /d"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /e"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /t"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /r"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /d"	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /f"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /i"	xoadoh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /o"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /o"	xoadoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xoadoh = "C:\\Users\\Admin\\xoadoh.exe /a"	xoadoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe
1884	xoadoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
1884	xoadoh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1884	2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe	28
PID 2008 wrote to memory of 1884	2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe	28
PID 2008 wrote to memory of 1884	2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe	28
PID 2008 wrote to memory of 1884	2008	5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5dbf7a3d105b704002ee3c7720ab54c0_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\xoadoh.exe
  "C:\Users\Admin\xoadoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\xoadoh.exe

Filesize
132KB

MD5
082ff6d8d774931dda57a4b378205470

SHA1
58db0f164f3de9cb0c21f73b7d016195c311ac55

SHA256
6385a1c4a30fcbedf11a86f8abdbc218cf42afdca04e93e545fb8c5f8ba1626d

SHA512
4307cc94115ae175409bdd05e8d8d22e09a536d99be0224d54fa981e8bbbf86701c079858d527638e232ce85501c514133d55fc199415b9f21a54e3429273a3a

Download Submit