c2e8a793242ac5bd973e80a28eed04f0ee12e0692590ceb931b3b190ff5391e6

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe
Size

72KB
MD5

2fecf6396a385b0f3a185c786a01db20
SHA1

be8ca5b00be0740df4c59b830661a2594a04da56
SHA256

c2e8a793242ac5bd973e80a28eed04f0ee12e0692590ceb931b3b190ff5391e6
SHA512

e5cd65549bdeea849a1c3b920cf9d90ff9552b0287a0b9152e4c50b385589887fd57ed29ffa3223b5e955e3d97f0177f5469365f100969050bcf98275d78c376
SSDEEP

1536:xBoj3/OgHIerbSSuf9c/buo4iiugZb6hCPmXeu0XyxsdvDKc1:noDvHDrbTuf9abJiugV6hyu0XyxsdvDT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	mfeneax-eavix.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\IsInstalled = "1"	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\StubPath = "C:\\Windows\\system32\\anseanuv-ded.exe"	mfeneax-eavix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52484154-5145-4451-5248-415451454451}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	mfeneax-eavix.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\apgosur.exe"	mfeneax-eavix.exe

Executes dropped EXE 2 IoCs

pid	Process
5024	mfeneax-eavix.exe
3060	mfeneax-eavix.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	mfeneax-eavix.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	mfeneax-eavix.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ehtaxeam-oudat.dll"	mfeneax-eavix.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	mfeneax-eavix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	mfeneax-eavix.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfeneax-eavix.exe	2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\mfeneax-eavix.exe	2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\apgosur.exe	mfeneax-eavix.exe
File opened for modification	C:\Windows\SysWOW64\anseanuv-ded.exe	mfeneax-eavix.exe
File opened for modification	C:\Windows\SysWOW64\ehtaxeam-oudat.dll	mfeneax-eavix.exe
File created	C:\Windows\SysWOW64\ehtaxeam-oudat.dll	mfeneax-eavix.exe
File opened for modification	C:\Windows\SysWOW64\apgosur.exe	mfeneax-eavix.exe
File created	C:\Windows\SysWOW64\anseanuv-ded.exe	mfeneax-eavix.exe
File opened for modification	C:\Windows\SysWOW64\mfeneax-eavix.exe	mfeneax-eavix.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
3060	mfeneax-eavix.exe
3060	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe
5024	mfeneax-eavix.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	mfeneax-eavix.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 5024	3252	2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 5024	3252	2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe	84
PID 3252 wrote to memory of 5024	3252	2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe	84
PID 5024 wrote to memory of 3060	5024	mfeneax-eavix.exe	85
PID 5024 wrote to memory of 3060	5024	mfeneax-eavix.exe	85
PID 5024 wrote to memory of 3060	5024	mfeneax-eavix.exe	85
PID 5024 wrote to memory of 608	5024	mfeneax-eavix.exe	5
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55
PID 5024 wrote to memory of 3512	5024	mfeneax-eavix.exe	55

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3512
- C:\Users\Admin\AppData\Local\Temp\2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\2fecf6396a385b0f3a185c786a01db20_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\mfeneax-eavix.exe
    "C:\Windows\SysWOW64\mfeneax-eavix.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\mfeneax-eavix.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\anseanuv-ded.exe

Filesize
72KB

MD5
27a67c4512753cacd61907b5dc4eced3

SHA1
c13655604a8b7c1c6e6a43b1a6510add063a0fde

SHA256
d37687f888e4beec611f709d4ca8adad36f5fded08ae7074e33a7e9a944d45f0

SHA512
33fa5c69283f34e0ab35597c71d2987e10845fd4f6999dc2c9252a775d38c05f4dc086bd7959be87907d2454c1af8bdce68b03d6ff4a3f8e1cc678840901cd66

Download Submit
C:\Windows\SysWOW64\apgosur.exe

Filesize
73KB

MD5
05ef2540ff418a473784f6e9c696fdb2

SHA1
0aa4bd1c092303749cf9e5a859aca60ee1571b30

SHA256
100f52a46a0bcba95a7b39914e4d391b4c965888142859be6eda8aaff1b00f02

SHA512
5fd908b6a5baaf020edb1e6ca835835cf9a17a859750b6c98c233b77658558807bdfc12eb3438a5de15237482534693cede487b36da4daac4fd27b16eaacd333

Download Submit
C:\Windows\SysWOW64\ehtaxeam-oudat.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\mfeneax-eavix.exe

Filesize
70KB

MD5
3c0d95ac6cb7b708c352058cc163e5c3

SHA1
7617c6b9bb033f2e488557683fa006ecda2d5ab2

SHA256
8e7c7a4b74c61c94fae8f910a7facac60d6e0252683789a9d27de7243ee3b004

SHA512
e035e6df825f5e51e8b066b59fac2cd76e9fa59ac3057a183db3b2b0b2456f708b1ff5f91ca619b025d00059516a81b47f166df826e35f5e8429a47b1fb40d34

Download Submit
memory/3060-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3252-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5024-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download