95b3d51e4dab6499c46b16831e6fa6eccb24962065cd4f713aaf28d3ce3c3d0f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
Size

72KB
MD5

cfc18f737e79e5585c76e1fd8e527060
SHA1

6187a128e3cde9c4d8e1d939ec8fb429f0b9fe74
SHA256

95b3d51e4dab6499c46b16831e6fa6eccb24962065cd4f713aaf28d3ce3c3d0f
SHA512

9d9dabfce37a7c53afcb4aaa283adac6a50462b601c3b5f485f1dc7e21020a7ac791bdf61690fda684c4e99bd8ba3756b30bd81e46e3c07ab31c011d1372f3fc
SSDEEP

1536:xGrOhMC7Nb20g6HKF02z5HKgeBGmW9arzj:wrOhRvN2sGmtnj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	elceasir.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\IsInstalled = "1"	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\StubPath = "C:\\Windows\\system32\\uhcuneam-ougat.exe"	elceasir.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\aldamop.exe"	elceasir.exe

Executes dropped EXE 2 IoCs

pid	Process
1872	elceasir.exe
5056	elceasir.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	elceasir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	elceasir.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	elceasir.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\kdoasif.dll"	elceasir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	elceasir.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uhcuneam-ougat.exe	elceasir.exe
File opened for modification	C:\Windows\SysWOW64\kdoasif.dll	elceasir.exe
File created	C:\Windows\SysWOW64\aldamop.exe	elceasir.exe
File created	C:\Windows\SysWOW64\elceasir.exe	cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\aldamop.exe	elceasir.exe
File opened for modification	C:\Windows\SysWOW64\uhcuneam-ougat.exe	elceasir.exe
File created	C:\Windows\SysWOW64\kdoasif.dll	elceasir.exe
File opened for modification	C:\Windows\SysWOW64\elceasir.exe	elceasir.exe
File opened for modification	C:\Windows\SysWOW64\elceasir.exe	cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
5056	elceasir.exe
5056	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe
1872	elceasir.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	elceasir.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1872	4664	cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe	82
PID 4664 wrote to memory of 1872	4664	cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe	82
PID 4664 wrote to memory of 1872	4664	cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe	82
PID 1872 wrote to memory of 628	1872	elceasir.exe	5
PID 1872 wrote to memory of 5056	1872	elceasir.exe	83
PID 1872 wrote to memory of 5056	1872	elceasir.exe	83
PID 1872 wrote to memory of 5056	1872	elceasir.exe	83
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55
PID 1872 wrote to memory of 3352	1872	elceasir.exe	55

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3352
- C:\Users\Admin\AppData\Local\Temp\cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\SysWOW64\elceasir.exe
    "C:\Windows\SysWOW64\elceasir.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\elceasir.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aldamop.exe

Filesize
73KB

MD5
5c7798e49788df29af6d1b43c74f8c5e

SHA1
0e3b2e612c0e9d402814be1e28ffcd431b8d90ec

SHA256
eac622652d2bd6b0e44027f73107615845ae4d818c5a4e48fd8c43565cad2677

SHA512
14df778db50b9a5a6b17329841970be4941fae2f98ecf14581d2d13c1a9aafea7e78f1be68f3b4b73cd9aac476064b16916264af3af0d092d021a75f82f010b0

Download Submit
C:\Windows\SysWOW64\elceasir.exe

Filesize
70KB

MD5
1090555cf271acdf2264c16a065b369e

SHA1
cef114b0e56388144184bfbe3edd7a855b1c3a0e

SHA256
178ef0208acb6e4c8a8df1d618120c85659482a17c10a9259251e30ce2c8fdd1

SHA512
d6df98908a0ecc6651c0395b7539aff57878bca042e09bee1ff421c99fbba30e34f9b6b1c5b7615674898e0900d67e9e223d29062da550e0fc5fcde2ff43464e

Download Submit
C:\Windows\SysWOW64\kdoasif.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\uhcuneam-ougat.exe

Filesize
72KB

MD5
bb4df7a180256aedec4da17814dda567

SHA1
0d8f9759c922dab3084c4a0d27de02cb399302f7

SHA256
697d7510050a894505d9c8b0af2a40879b39c08c46e039341490f68fb750acaa

SHA512
df71646896c3749ccf8dfeeae9e27c77fd85c98088d4b9bc78d5df2cc3936021dd72d0e8dd7243f255650ebd99a7ffc14265dd7934929ac0be31ce2b1afc77c8

Download Submit
memory/1872-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4664-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5056-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download