Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 06:36 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe
-
Size
70KB
-
MD5
989fd0fecf41082be0bc25212a75df60
-
SHA1
6b8acab7534d300aa556924727b60a01fcfe6040
-
SHA256
09bcd9ecea937d2453fec8a467ab0b661de87c201f88a90e03b765db262a054d
-
SHA512
994068fa1f3de8ad9d471b54cf26b0bcfecca32ad5954d72a8ef826690ba467f543de084aca7cc0d9072ce50fd1079a7049a1b414a83ad7caaeda6be59941e78
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8D:Olg35GTslA5t3/w8D
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ougfoateat-eamoot.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\IsInstalled = "1" ougfoateat-eamoot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245}\StubPath = "C:\\Windows\\system32\\ubgoapik-ouxom.exe" ougfoateat-eamoot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51475451-5a54-5245-5147-54515A545245} ougfoateat-eamoot.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ougfoateat-eamoot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ougfoateat-eamoot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\edfegear.exe" ougfoateat-eamoot.exe -
Executes dropped EXE 2 IoCs
pid Process 2200 ougfoateat-eamoot.exe 2616 ougfoateat-eamoot.exe -
Loads dropped DLL 3 IoCs
pid Process 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 2200 ougfoateat-eamoot.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ougfoateat-eamoot.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ougfoateat-eamoot.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ougfoateat-eamoot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ougfoateat-eamoot.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ougfoateat-eamoot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ougfoateat-eamoot.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ilxenoak.dll" ougfoateat-eamoot.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ubgoapik-ouxom.exe ougfoateat-eamoot.exe File opened for modification C:\Windows\SysWOW64\ilxenoak.dll ougfoateat-eamoot.exe File opened for modification C:\Windows\SysWOW64\ougfoateat-eamoot.exe ougfoateat-eamoot.exe File opened for modification C:\Windows\SysWOW64\ougfoateat-eamoot.exe 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ougfoateat-eamoot.exe 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\edfegear.exe ougfoateat-eamoot.exe File created C:\Windows\SysWOW64\edfegear.exe ougfoateat-eamoot.exe File created C:\Windows\SysWOW64\ubgoapik-ouxom.exe ougfoateat-eamoot.exe File created C:\Windows\SysWOW64\ilxenoak.dll ougfoateat-eamoot.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2616 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe 2200 ougfoateat-eamoot.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe Token: SeDebugPrivilege 2200 ougfoateat-eamoot.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2200 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2200 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2200 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 28 PID 2264 wrote to memory of 2200 2264 989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe 28 PID 2200 wrote to memory of 432 2200 ougfoateat-eamoot.exe 5 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 2616 2200 ougfoateat-eamoot.exe 29 PID 2200 wrote to memory of 2616 2200 ougfoateat-eamoot.exe 29 PID 2200 wrote to memory of 2616 2200 ougfoateat-eamoot.exe 29 PID 2200 wrote to memory of 2616 2200 ougfoateat-eamoot.exe 29 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21 PID 2200 wrote to memory of 1200 2200 ougfoateat-eamoot.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\989fd0fecf41082be0bc25212a75df60_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\ougfoateat-eamoot.exe"C:\Windows\system32\ougfoateat-eamoot.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\ougfoateat-eamoot.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
-
Network
-
Remote address:8.8.8.8:53Requestgewdbb.nuIN AResponse
-
Remote address:8.8.8.8:53Requestgewdbb.nuIN AResponse
No results found
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5863a04f83a9758d1b14a40e184411197
SHA1613304999d20f82a83e67b47c22482d9e628dd06
SHA2561908d8d42eefd37aae75078c842583eac104303c83f4a540a1bd90f5f95fe59f
SHA5125424183d9ea7ea57b367785cfa374b5aecb837727aefbc3ea4dfa93d4fd328a31e86aa26a6ffbb461dc08ff2558cc4e2a20999a59c2800cb96cbfb39277725e6
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD5e7d52e2a928ebbacb7eeabffc33ab978
SHA14be7c9cd8ecde611e288ab13fb30826f782ef2e1
SHA25626cc512b724477a9b999f5014a030a08a5087cad74ad59f0f973de43bda77bf5
SHA512135102b6b922ca52f62646c97d2a09c0ca65eb1f6582e6fd2ed69158944942477c0a97f389b1de6c6156b48b45b66470a45e3942aa30d519a273e675b990bf6d
-
Filesize
70KB
MD5989fd0fecf41082be0bc25212a75df60
SHA16b8acab7534d300aa556924727b60a01fcfe6040
SHA25609bcd9ecea937d2453fec8a467ab0b661de87c201f88a90e03b765db262a054d
SHA512994068fa1f3de8ad9d471b54cf26b0bcfecca32ad5954d72a8ef826690ba467f543de084aca7cc0d9072ce50fd1079a7049a1b414a83ad7caaeda6be59941e78