Malware Analysis Report

2025-01-22 12:25

Sample ID 240515-27cv8aha21
Target 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics
SHA256 9d766ccec38da285984a93cde16590b6b569a511b4202ffdf3632d4369520de0
Tags
aspackv2 persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9d766ccec38da285984a93cde16590b6b569a511b4202ffdf3632d4369520de0

Threat Level: Shows suspicious behavior

The file 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2 persistence

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 23:13

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 23:13

Reported

2024-05-15 23:15

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\$Recycle.Bin\wininit.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LHCMD.EXE = "C:\\Program Files (x86)\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\T: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\E: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\I: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\Q: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\R: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\N: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\K: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\U: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\P: C:\$Recycle.Bin\wininit.exe N/A
File opened (read-only) \??\V: C:\$Recycle.Bin\wininit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\LHCMD.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\EXKA.EXE C:\$Recycle.Bin\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\XJWTL.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\XJWTL.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\LHCMD.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\svchost.exe C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\EVZDUOF.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\XJWTL.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\XJWTL.EXE %1" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\LHCMD.EXE %1" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\LHCMD.EXE" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\EVZDUOF.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\$Recycle.Bin\wininit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open C:\$Recycle.Bin\wininit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\$Recycle.Bin\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 1964 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\$Recycle.Bin\wininit.exe
PID 1964 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\$Recycle.Bin\wininit.exe
PID 1964 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\$Recycle.Bin\wininit.exe
PID 1964 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe C:\$Recycle.Bin\wininit.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe
PID 2520 wrote to memory of 2556 N/A C:\$Recycle.Bin\wininit.exe C:\Windows\SysWOW64\Regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\$Recycle.Bin\wininit.exe

C:\$Recycle.Bin\wininit.exe

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

Network

N/A

Files

memory/1964-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Program Files (x86)\XJWTL.EXE

MD5 6fc6e442c0113c73a30f4b5738a70b2d
SHA1 e5faf5167ba3ddb5982290415e89b5570f82566c
SHA256 138aa8ec4dfbadb1bcc266bcc269071ec609cc0cc1702841d541d3d589e78d41
SHA512 40eb541ca571fd9ec115894fd8e6d3c2889605cf1e70477f0ee131f6b7606d39106ab0d56b5df4f656e9a4251bb82c898066aae35cfefb0d4cc1022b280b7354

\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

\$Recycle.Bin\wininit.exe

MD5 a1deba26dcb784eb56b32828a8b87370
SHA1 32713bacf4fae07c16258fb64230902dbbe054e8
SHA256 a07c1653785a450dbbe6511bb3326d40594f4427756045f1cd995a467427be1c
SHA512 4eecd43410ff46afe2a60aaf5eae8cee1e607de6158de6cc463ec6b9ae259c4f0204a8c02afb6722ce4352cb95de687ab91120ecc2cda251171252e45e3b1578

memory/2520-30-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1964-33-0x0000000000400000-0x000000000047D000-memory.dmp

memory/2520-32-0x0000000000400000-0x000000000047D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 23:13

Reported

2024-05-15 23:15

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CUJUSKX.EXE = "C:\\Windows\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Ms7002.dll C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\VIGK.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VIGK.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VIGK.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File created C:\Windows\NVDAAKD.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\NVDAAKD.EXE C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE %1" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\NVDAAKD.EXE %1" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" C:\Windows\SysWOW64\Regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE \"%1\"" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\VIGK.EXE" C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" C:\Windows\SysWOW64\Regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 C:\Windows\SysWOW64\Regsvr32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"

C:\Windows\SysWOW64\Regsvr32.exe

Regsvr32.exe C:\Windows\system32\Ms7002.dll /s

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.201:443 www.bing.com tcp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/800-1-0x0000000002410000-0x0000000002411000-memory.dmp

C:\Program Files\VIGK.EXE

MD5 f530f86bd2d5e4e8fec8cd4e6de6acee
SHA1 c557e79811d10ef78f36f36b2003795b4bc69dd0
SHA256 c4500b46eda4ed5f2b8ce88a2a8d013a0cbe3c4b6af5c966cadbc121a6468b53
SHA512 9ebd91e76f2f0194d069d96a1131ab575c1924a342c78a2e0fd4ee152e0c71c9676a9f3ec2e91f2a414ec33acb9b9ddfece484a1569f87c6e5b77d332d77d957

C:\Windows\SysWOW64\Ms7002.dll

MD5 876a2a99b81968f5b26e3cbe12063d2b
SHA1 7afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256 f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512 ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1

C:\Windows\svchost.exe

MD5 05a999288ff024d264c7d083aa199c8d
SHA1 d5df40510c01ca8b4adb97bb556b200b27da8a58
SHA256 5252342d8c3f4f1578215b00ff46bf1236fc6ddddb32052dacfc25002fb1785e
SHA512 deabd66450fc5033b0135ca346d7535b0cc94205a6f484655689fa8f560fd6e9c5838d0a7e6942643f6539c2c2eb8e6293f1d764087f4dfe39ec21090241d556

memory/3468-25-0x0000000002710000-0x0000000002711000-memory.dmp

memory/800-26-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-27-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-28-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-29-0x0000000002710000-0x0000000002711000-memory.dmp

memory/3468-30-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-31-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-32-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-33-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-34-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-35-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-36-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-37-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-38-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-39-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-40-0x0000000000400000-0x000000000047D000-memory.dmp

memory/3468-41-0x0000000000400000-0x000000000047D000-memory.dmp