Analysis Overview
SHA256
245fe448bbd5a16b56c50c42819d9f475a8c27b51ccc08858d61121d1161a4f1
Threat Level: Known bad
The file b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 10:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 10:22
Reported
2024-05-13 10:25
Platform
win7-20240508-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\xouafa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\xouafa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /i" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /j" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /m" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /w" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /h" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /z" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /f" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /z" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /o" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /p" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /n" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /d" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /b" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /g" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /y" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /n" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /v" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /r" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /t" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /h" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /w" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /b" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /q" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /k" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /d" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /c" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /g" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /i" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /a" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /p" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /m" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /q" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /a" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /f" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /x" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /k" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /j" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /o" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /l" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /s" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /t" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /v" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /y" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /r" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /u" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /e" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /e" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /c" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /x" | C:\Users\Admin\xouafa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xouafa = "C:\\Users\\Admin\\xouafa.exe /l" | C:\Users\Admin\xouafa.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\xouafa.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\xouafa.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\xouafa.exe |
| PID 2244 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\xouafa.exe |
| PID 2244 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\xouafa.exe |
| PID 2244 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\xouafa.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"
C:\Users\Admin\xouafa.exe
"C:\Users\Admin\xouafa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.helpupdates.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.net | udp |
| US | 107.178.223.183:8003 | ns1.helpupdates.net | tcp |
Files
C:\Users\Admin\xouafa.exe
| MD5 | 40dc4ac6b048bf44da4a33bf6de103ac |
| SHA1 | f08484bb0c0cef1290357e0092946ec936448078 |
| SHA256 | 68d021f61b445df7b3a0dfc7c640eacb5ac8f2aa4b27a3c3dd1a06b4badabf6b |
| SHA512 | 646218d1c74e21d5cf3ac61230e118097db084da10aa684985abe045ec105c2f1eec3f808a38a8045ab9e9563eab4acac43ae701a3a182dcbb84b3e97db1c561 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 10:22
Reported
2024-05-13 10:25
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\loeruaj.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\loeruaj.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /q" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /h" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /w" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /b" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /p" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /t" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /n" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /i" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /i" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /g" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /n" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /j" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /r" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /s" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /c" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /u" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /k" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /b" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /w" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /v" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /z" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /a" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /q" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /e" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /v" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /p" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /o" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /h" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /m" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /s" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /c" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /f" | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /l" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /z" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /o" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /r" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /e" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /l" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /k" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /j" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /a" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /x" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /d" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /x" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /g" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /y" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /t" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /y" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /d" | C:\Users\Admin\loeruaj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loeruaj = "C:\\Users\\Admin\\loeruaj.exe /u" | C:\Users\Admin\loeruaj.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\loeruaj.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\loeruaj.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\loeruaj.exe |
| PID 4604 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\loeruaj.exe |
| PID 4604 wrote to memory of 3304 | N/A | C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe | C:\Users\Admin\loeruaj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b254fc8144e93fafc5e3bdab1cc94f00_NeikiAnalytics.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Users\Admin\loeruaj.exe
"C:\Users\Admin\loeruaj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.net | udp |
| US | 104.155.138.21:8003 | ns1.helpupdates.net | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\loeruaj.exe
| MD5 | a8009a7b86c41ae8dac76aab64e7e4e3 |
| SHA1 | 1f77c531fa410530b30c7d47dc1bd755083e6800 |
| SHA256 | a40aa852e4a93fbae459489bee0209b6c2a0d97ec6ee80422ff9c8697e4ba8b9 |
| SHA512 | a5057f137f73cd3a2826239cd0a98f1a48b112247d0695c32e9e873366d0eb98d41ea6b12acc4d85a7f4bac0e0f2477a94beb7b09ff8d0c39f27b507d33849cc |