Malware Analysis Report

2024-08-06 18:35

Sample ID 240516-ymvnradf61
Target 22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
SHA256 9b3699e932902bfe4264a68dad0ae5f718fa3672b659417c2f215e649a9c4d6c
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b3699e932902bfe4264a68dad0ae5f718fa3672b659417c2f215e649a9c4d6c

Threat Level: Known bad

The file 22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Detects XenoRAT malware

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-16 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 19:54

Reported

2024-05-16 19:57

Platform

win7-20240215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

Signatures

Detects XenoRAT malware

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1956 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 set thread context of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 set thread context of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 set thread context of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1956 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2712 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2712 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2712 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2712 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2708 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2968 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cns" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD91.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp

Files

memory/1956-0-0x000000007483E000-0x000000007483F000-memory.dmp

memory/1956-1-0x0000000000E80000-0x0000000000EC6000-memory.dmp

memory/1956-2-0x0000000000240000-0x0000000000246000-memory.dmp

memory/1956-4-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/1956-3-0x0000000000260000-0x00000000002A0000-memory.dmp

memory/1956-5-0x0000000000420000-0x0000000000426000-memory.dmp

memory/2712-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2712-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2712-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2712-23-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2968-24-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/1956-26-0x0000000074830000-0x0000000074F1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

MD5 22dd434667213ce290e7b9b344d2c7a0
SHA1 7e7742a0b071b0ad2099d2d298b23507f3aa726e
SHA256 9b3699e932902bfe4264a68dad0ae5f718fa3672b659417c2f215e649a9c4d6c
SHA512 c76e9dcfe723d4321f61e22cfa0c9fb0b5784fd6133dcbb08668d8e330fa0a605cfc9ced1471337ec7738a5668e9a196c3fbcf1114bd945a7f857247e9c8a9d6

memory/2708-33-0x0000000000E90000-0x0000000000ED6000-memory.dmp

memory/2712-32-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2968-49-0x0000000074830000-0x0000000074F1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFD91.tmp

MD5 cf8108aac42881c3288006567902f87f
SHA1 89742ae9fe481954e824b116908c1a452bc5ae6d
SHA256 5029c293a15d6038cce36d385bc8b4e18368c0a8420219419dd7e1a5f28bbc50
SHA512 52f35ff90e0774dc306a322100ee2c457a69ef01c4b1628ffe39cc7654501501b27e03f01716fa4de4f6d4aef19d11f823c5dc62e900739d6d00a354e7603820

memory/2968-52-0x0000000074830000-0x0000000074F1E000-memory.dmp

memory/2968-53-0x0000000074830000-0x0000000074F1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 19:54

Reported

2024-05-16 19:57

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

Signatures

Detects XenoRAT malware

rat
Description Indicator Process Target
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1028 set thread context of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 set thread context of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 set thread context of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 set thread context of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 set thread context of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 set thread context of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 1028 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 3752 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 3752 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 3752 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 4172 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe
PID 2008 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2008 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2008 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3184 -ip 3184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 80

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "cns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp45AF.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 dns.dobiamfollollc.online udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
NL 94.156.68.125:1283 dns.dobiamfollollc.online tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/1028-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/1028-1-0x0000000000C70000-0x0000000000CB6000-memory.dmp

memory/1028-2-0x0000000003000000-0x0000000003006000-memory.dmp

memory/1028-3-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/1028-4-0x0000000003160000-0x00000000031A0000-memory.dmp

memory/1028-5-0x0000000006AB0000-0x0000000006B4C000-memory.dmp

memory/1028-6-0x0000000007100000-0x00000000076A4000-memory.dmp

memory/1028-7-0x0000000006BF0000-0x0000000006C82000-memory.dmp

memory/1028-8-0x0000000005770000-0x0000000005776000-memory.dmp

memory/3752-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3752-15-0x0000000074A50000-0x0000000075200000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/1028-17-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2008-16-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2008-18-0x0000000074A50000-0x0000000075200000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\22dd434667213ce290e7b9b344d2c7a0_NeikiAnalytics.exe

MD5 22dd434667213ce290e7b9b344d2c7a0
SHA1 7e7742a0b071b0ad2099d2d298b23507f3aa726e
SHA256 9b3699e932902bfe4264a68dad0ae5f718fa3672b659417c2f215e649a9c4d6c
SHA512 c76e9dcfe723d4321f61e22cfa0c9fb0b5784fd6133dcbb08668d8e330fa0a605cfc9ced1471337ec7738a5668e9a196c3fbcf1114bd945a7f857247e9c8a9d6

memory/3752-29-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2008-36-0x0000000074A50000-0x0000000075200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp45AF.tmp

MD5 cf8108aac42881c3288006567902f87f
SHA1 89742ae9fe481954e824b116908c1a452bc5ae6d
SHA256 5029c293a15d6038cce36d385bc8b4e18368c0a8420219419dd7e1a5f28bbc50
SHA512 52f35ff90e0774dc306a322100ee2c457a69ef01c4b1628ffe39cc7654501501b27e03f01716fa4de4f6d4aef19d11f823c5dc62e900739d6d00a354e7603820