35926e6d69e2441d14d0e5bfc9d32fbd12e957aeee0dd69e76ad6e1f101fdc4e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe
Size

72KB
MD5

c7d79a26480769f8ca453235af8c4920
SHA1

7a666e722f3a53c388a3b4946f2b10d0a209aef5
SHA256

35926e6d69e2441d14d0e5bfc9d32fbd12e957aeee0dd69e76ad6e1f101fdc4e
SHA512

d7d8af33b338ca2fb48741377a62794c52caaa317d4d8e1c879f7c1bcb6748d7fc386cc1da456e5c28e2ee40b3f21c406cfa940b8d5d974476b22c80964a89f9
SSDEEP

1536:xesVVg0uuuZqcFMMknvALxibD5cZHTSt1h9N/vEL:pm0+ZqcFsvLXSm9N/sL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	efnekin.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\IsInstalled = "1"	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\StubPath = "C:\\Windows\\system32\\oulxanoat-ohix.exe"	efnekin.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\aploatix.exe"	efnekin.exe

Executes dropped EXE 2 IoCs

pid	Process
388	efnekin.exe
5040	efnekin.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	efnekin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	efnekin.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	efnekin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eagpuruk-osooc.dll"	efnekin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	efnekin.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eagpuruk-osooc.dll	efnekin.exe
File created	C:\Windows\SysWOW64\eagpuruk-osooc.dll	efnekin.exe
File created	C:\Windows\SysWOW64\aploatix.exe	efnekin.exe
File opened for modification	C:\Windows\SysWOW64\oulxanoat-ohix.exe	efnekin.exe
File created	C:\Windows\SysWOW64\oulxanoat-ohix.exe	efnekin.exe
File opened for modification	C:\Windows\SysWOW64\efnekin.exe	efnekin.exe
File opened for modification	C:\Windows\SysWOW64\efnekin.exe	c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\efnekin.exe	c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\aploatix.exe	efnekin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
5040	efnekin.exe
5040	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe
388	efnekin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	efnekin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 388	1440	c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe	83
PID 1440 wrote to memory of 388	1440	c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe	83
PID 1440 wrote to memory of 388	1440	c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe	83
PID 388 wrote to memory of 5040	388	efnekin.exe	84
PID 388 wrote to memory of 5040	388	efnekin.exe	84
PID 388 wrote to memory of 5040	388	efnekin.exe	84
PID 388 wrote to memory of 620	388	efnekin.exe	5
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57
PID 388 wrote to memory of 3532	388	efnekin.exe	57

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\c7d79a26480769f8ca453235af8c4920_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\efnekin.exe
    "C:\Windows\SysWOW64\efnekin.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\SysWOW64\efnekin.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aploatix.exe

Filesize
73KB

MD5
6c64025217e9aa6f4fe671f272d05ffd

SHA1
23d93e2725490a55c4f6b314a1733bbf3c22f89f

SHA256
d9fdef9b3ccd6da49717689e436a512047dfc55d6f6e5580570480a9ae3dd68f

SHA512
be040bec95a534280cb6750e13c5897de752de8a7280cbb9c81bf8c78b59f6d06931feb1c23dc4c69d07a5ba84d9cecd45a669650f14cac31a63e30c2b783d5a

Download Submit
C:\Windows\SysWOW64\eagpuruk-osooc.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\efnekin.exe

Filesize
70KB

MD5
4f2dc0f7279e5f3a5ee123d52573671e

SHA1
bd2c34396918c3d79e7c591c63f17e784cc3d31c

SHA256
c2de62d64608d4e85a47a13f57d7a76a8f02cf97f60c6f8188568d7d1d3789b7

SHA512
061f0e48bbd91900b4c9cf2c8558b0fc434b385bd0b561b4bb75f4fc55c57843855d7472689a6adad4c34c4db0b555877b2a487adc010404939734b3165a0191

Download Submit
C:\Windows\SysWOW64\oulxanoat-ohix.exe

Filesize
72KB

MD5
4a8e9eab05ac01b6fb9d2c0b85e8a4a4

SHA1
99be9af3e29904448f3291a10d6d0b31ac30c6f5

SHA256
d84eada299456117f428b3b6ba1874f6a30ef5c0c1c6f14ecd7562920eb792a6

SHA512
37338986f41b0337c2025e9356da5aedcc56ce0a47c5b1d7f3e8440424eb242c174ec563eceeeb9182e0f4f8bcfa235e396b8044d93d0fc6df4db32d28b3df86

Download Submit
memory/388-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1440-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5040-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download