Malware Analysis Report

2025-08-11 00:07

Sample ID 240513-hrjt2sed32
Target a398310cac612dd27926ccff2f206ae0_NeikiAnalytics
SHA256 b5b8e887666d37b382d4ea9fa5516881ae2208ad26d70e60b3ea3c297850a9d3
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5b8e887666d37b382d4ea9fa5516881ae2208ad26d70e60b3ea3c297850a9d3

Threat Level: Known bad

The file a398310cac612dd27926ccff2f206ae0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Windows security modification

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 06:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 06:58

Reported

2024-05-13 07:00

Platform

win7-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350} C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\IsInstalled = "1" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\StubPath = "C:\\Windows\\system32\\eatximoom-udeab.exe" C:\Windows\SysWOW64\ixxofax.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekroocar-sat.exe" C:\Windows\SysWOW64\ixxofax.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ixxofax.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ixxofax.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\igcooseak.dll" C:\Windows\SysWOW64\ixxofax.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ekroocar-sat.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\igcooseak.dll C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\ixxofax.exe C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\ixxofax.exe C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ekroocar-sat.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\eatximoom-udeab.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File created C:\Windows\SysWOW64\eatximoom-udeab.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File created C:\Windows\SysWOW64\igcooseak.dll C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 1736 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 1736 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 1736 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2120 wrote to memory of 428 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\system32\winlogon.exe
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2120 wrote to memory of 2620 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1208 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ixxofax.exe

"C:\Windows\system32\ixxofax.exe"

C:\Windows\SysWOW64\ixxofax.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 ouileia.kr udp
US 8.8.8.8:53 ouileia.kr udp

Files

\Windows\SysWOW64\ixxofax.exe

MD5 a398310cac612dd27926ccff2f206ae0
SHA1 ff5fe2c0a4f3aec7a6b88a5c64c897c3ec71a968
SHA256 b5b8e887666d37b382d4ea9fa5516881ae2208ad26d70e60b3ea3c297850a9d3
SHA512 fb35dda335b0d6f6617014f79978b5cff8a9830d0dfbebe354ccb6a6c2b8d3c474af09da7fbfa24043a6230240580e40d6874defe39b77567517f7c591973fdd

memory/1736-10-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\eatximoom-udeab.exe

MD5 f4d695353e3d9a4fc4d447a19aa6fcda
SHA1 9bd064d583c4535ab25f10cb057cf203ddff31b9
SHA256 bc3150a92f999ea0ecce1ca6adf239247e17583a701a81399cc02ba5fcdcb3cf
SHA512 1de008d7fe1d67924fbda752b8a492c21c7e9a8403aa0e240f3de22acf8b4431b4277992f7449b38e7598bb73248530608ca5cdee6796a4a78d4fb30f41d61f2

C:\Windows\SysWOW64\igcooseak.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\ekroocar-sat.exe

MD5 4c5c042051a0d391887fabdba6c80493
SHA1 8b7ff807d422870ab8db20c68073478f1fc4063a
SHA256 158c50f6e0033be4b18780e204609c06e1aa20e176bfabfda75f19becabb5228
SHA512 f5b0b9233b154ecdb7d49c55efc6b0422850f409e090c2650619fa37862dc05ea14152bf28dc9d51b67200cd337841e81c25749bc460c02cb56432505f236cd3

memory/2120-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2620-56-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 06:58

Reported

2024-05-13 07:00

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451} C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\IsInstalled = "1" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\StubPath = "C:\\Windows\\system32\\eatximoom-udeab.exe" C:\Windows\SysWOW64\ixxofax.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ekroocar-sat.exe" C:\Windows\SysWOW64\ixxofax.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\ixxofax.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\ixxofax.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\igcooseak.dll" C:\Windows\SysWOW64\ixxofax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\ixxofax.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\eatximoom-udeab.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\igcooseak.dll C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\ixxofax.exe C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\ixxofax.exe C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\ekroocar-sat.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File opened for modification C:\Windows\SysWOW64\ekroocar-sat.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File created C:\Windows\SysWOW64\eatximoom-udeab.exe C:\Windows\SysWOW64\ixxofax.exe N/A
File created C:\Windows\SysWOW64\igcooseak.dll C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A
N/A N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ixxofax.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2720 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 2720 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe C:\Windows\SysWOW64\ixxofax.exe
PID 4628 wrote to memory of 612 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\system32\winlogon.exe
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 5112 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 4628 wrote to memory of 5112 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 4628 wrote to memory of 5112 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\SysWOW64\ixxofax.exe
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3580 N/A C:\Windows\SysWOW64\ixxofax.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\a398310cac612dd27926ccff2f206ae0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ixxofax.exe

"C:\Windows\system32\ixxofax.exe"

C:\Windows\SysWOW64\ixxofax.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 wasuzuuegmp.ph udp
US 45.79.222.138:80 wasuzuuegmp.ph tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.222.79.45.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 54.157.24.8:80 utbidet-ugeas.biz tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 54.157.24.8:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2720-6-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\ixxofax.exe

MD5 a398310cac612dd27926ccff2f206ae0
SHA1 ff5fe2c0a4f3aec7a6b88a5c64c897c3ec71a968
SHA256 b5b8e887666d37b382d4ea9fa5516881ae2208ad26d70e60b3ea3c297850a9d3
SHA512 fb35dda335b0d6f6617014f79978b5cff8a9830d0dfbebe354ccb6a6c2b8d3c474af09da7fbfa24043a6230240580e40d6874defe39b77567517f7c591973fdd

C:\Windows\SysWOW64\igcooseak.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\ekroocar-sat.exe

MD5 c1275ea30e01f462bbbad933784cab2e
SHA1 237a54a9aa8fe7d3742c8d3652d518726d0acbfd
SHA256 823a419cb1a22dedaff508af838a7159e18954b37a2dc53fe1c4763cb14ffbc3
SHA512 78f50e858916d583812fc105eeaec653998985acc4cdbf8789d9541479f3123e9ce52abd5cb7d11016d9b69ace40c5273cd1444d20c0df477494e1bb07d5ba2a

C:\Windows\SysWOW64\eatximoom-udeab.exe

MD5 64139ae940266c0b16b8f7a9d1544b65
SHA1 9152211e01d6a44b4cb42561bd4d90126d6c7f9c
SHA256 63cd42f293eaa149dd078470079533a4e26a7707e83f1621ad868eedf8c9cb11
SHA512 905a460fbdcd5634ac355ff4852b0d144c07077fbf58a45b026795a9e8dba46627ce72eeff899951528ed355aa1d2fb0f669f62c910ef46a43225677486499f0

memory/4628-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5112-50-0x0000000000400000-0x0000000000414000-memory.dmp