Malware Analysis Report

2025-08-05 19:17

Sample ID 240513-mej2haab5s
Target b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics
SHA256 245fe448bbd5a16b56c50c42819d9f475a8c27b51ccc08858d61121d1161a4f1
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

245fe448bbd5a16b56c50c42819d9f475a8c27b51ccc08858d61121d1161a4f1

Threat Level: Known bad

The file b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-13 10:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-13 10:22

Reported

2024-05-13 10:25

Platform

win7-20240508-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xouafa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xouafa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /i" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /j" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /m" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /w" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /h" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /z" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /f" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /z" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /o" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /p" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /n" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /d" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /b" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /g" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /y" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /n" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /v" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /r" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /t" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /h" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /w" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /b" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /q" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /k" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /d" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /c" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /g" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /i" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /a" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /p" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /m" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /q" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /a" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /f" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /x" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /k" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /j" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /o" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /l" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /t" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /v" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /y" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /r" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /e" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /e" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /c" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /x" C:\Users\Admin\xouafa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /l" C:\Users\Admin\xouafa.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\xouafa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\xouafa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"

C:\Users\Admin\xouafa.exe

"C:\Users\Admin\xouafa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.helpupdates.com udp
US 8.8.8.8:53 ns1.helpupdates.net udp
US 107.178.223.183:8003 ns1.helpupdates.net tcp

Files

C:\Users\Admin\xouafa.exe

MD5 40dc4ac6b048bf44da4a33bf6de103ac
SHA1 f08484bb0c0cef1290357e0092946ec936448078
SHA256 68d021f61b445df7b3a0dfc7c640eacb5ac8f2aa4b27a3c3dd1a06b4badabf6b
SHA512 646218d1c74e21d5cf3ac61230e118097db084da10aa684985abe045ec105c2f1eec3f808a38a8045ab9e9563eab4acac43ae701a3a182dcbb84b3e97db1c561

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-13 10:22

Reported

2024-05-13 10:25

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\loeruaj.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\loeruaj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /q" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /h" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /w" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /b" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /p" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /t" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /n" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /i" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /i" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /g" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /n" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /j" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /r" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /s" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /c" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /u" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /k" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /b" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /w" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /v" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /z" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /a" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /q" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /e" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /v" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /p" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /o" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /h" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /s" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /c" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /l" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /z" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /o" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /r" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /e" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /l" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /k" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /j" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /a" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /x" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /d" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /x" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /g" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /y" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /t" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /y" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /d" C:\Users\Admin\loeruaj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /u" C:\Users\Admin\loeruaj.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\loeruaj.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\loeruaj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Users\Admin\loeruaj.exe

"C:\Users\Admin\loeruaj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.131:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.131:443 www.bing.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 ns1.helpupdates.org udp
US 8.8.8.8:53 ns1.helpupdated.net udp
US 8.8.8.8:53 ns1.helpupdates.net udp
US 104.155.138.21:8003 ns1.helpupdates.net tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\loeruaj.exe

MD5 a8009a7b86c41ae8dac76aab64e7e4e3
SHA1 1f77c531fa410530b30c7d47dc1bd755083e6800
SHA256 a40aa852e4a93fbae459489bee0209b6c2a0d97ec6ee80422ff9c8697e4ba8b9
SHA512 a5057f137f73cd3a2826239cd0a98f1a48b112247d0695c32e9e873366d0eb98d41ea6b12acc4d85a7f4bac0e0f2477a94beb7b09ff8d0c39f27b507d33849cc