bbf3ef527bb8160adfbc9eedeed543e2cb46abb983d166533d84dc78d7d121a4

General

Target

41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
Size

70KB
MD5

41720cd56696fe7177051046f95f19f0
SHA1

88557a79c66b875bb94d949039314ae96fbb521b
SHA256

bbf3ef527bb8160adfbc9eedeed543e2cb46abb983d166533d84dc78d7d121a4
SHA512

17eb5aa640615be81e153c3139fbeb4df6660a75ecf6a38dd0ecf46f32f04cb203b81f0dea02918ed28352a962f6f4bc4db2f6542cae9aa9e480ef4c6e18f671
SSDEEP

768:x/n89NWyL4o78WaCSqj8gc6lx9G9Ct/0YUUKYDgN+ADl4oCiqguUL6n2E9SY7ZU4:xU9NVM6oqQg9lOkOYmxCibH6n2VY7Wxi

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

enxotem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	enxotem.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

enxotem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\IsInstalled = "1"	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\StubPath = "C:\\Windows\\system32\\kxamoad.exe"	enxotem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	enxotem.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

enxotem.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eafdoosub.exe"	enxotem.exe

Executes dropped EXE 2 IoCs

Processes:

enxotem.exeenxotem.exe

pid process

2228 enxotem.exe
2440 enxotem.exe
Loads dropped DLL 3 IoCs

Processes:

41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exeenxotem.exe

pid process

1664 41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
1664 41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
2228 enxotem.exe

pid	process
1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
2228	enxotem.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

enxotem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	enxotem.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	enxotem.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

enxotem.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eakkahoot-exac.dll"	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	enxotem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	enxotem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	enxotem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	enxotem.exe

Drops file in System32 directory 9 IoCs

Processes:

enxotem.exe41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\eafdoosub.exe	enxotem.exe
File opened for modification	C:\Windows\SysWOW64\kxamoad.exe	enxotem.exe
File created	C:\Windows\SysWOW64\eakkahoot-exac.dll	enxotem.exe
File opened for modification	C:\Windows\SysWOW64\enxotem.exe	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\eafdoosub.exe	enxotem.exe
File created	C:\Windows\SysWOW64\kxamoad.exe	enxotem.exe
File opened for modification	C:\Windows\SysWOW64\eakkahoot-exac.dll	enxotem.exe
File opened for modification	C:\Windows\SysWOW64\enxotem.exe	enxotem.exe
File created	C:\Windows\SysWOW64\enxotem.exe	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

enxotem.exeenxotem.exe

pid	process
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2440	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe
2228	enxotem.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

enxotem.exe

description pid process

Token: SeDebugPrivilege 2228 enxotem.exe

description	pid	process
Token: SeDebugPrivilege	2228	enxotem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exeenxotem.exe

description	pid	process	target process
PID 1664 wrote to memory of 2228	1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe	enxotem.exe
PID 1664 wrote to memory of 2228	1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe	enxotem.exe
PID 1664 wrote to memory of 2228	1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe	enxotem.exe
PID 1664 wrote to memory of 2228	1664	41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe	enxotem.exe
PID 2228 wrote to memory of 2440	2228	enxotem.exe	enxotem.exe
PID 2228 wrote to memory of 2440	2228	enxotem.exe	enxotem.exe
PID 2228 wrote to memory of 2440	2228	enxotem.exe	enxotem.exe
PID 2228 wrote to memory of 2440	2228	enxotem.exe	enxotem.exe
PID 2228 wrote to memory of 424	2228	enxotem.exe	winlogon.exe
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE
PID 2228 wrote to memory of 1260	2228	enxotem.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\41720cd56696fe7177051046f95f19f0_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\enxotem.exe
    "C:\Windows\SysWOW64\enxotem.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\enxotem.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eafdoosub.exe

Filesize
71KB

MD5
c8fe56395d2749948ed51bff0a8fdf70

SHA1
e82ee24519cf8aac85d97b8d93d786088744d2db

SHA256
c9fa554404e4364b83545ffac55e4b6b6dc45a79e4cec453b0b047a380fd8f56

SHA512
a8091e00a58e7b049534c5926fbf13e837b806842b828f5a9c79c92166a9b265fde108ed1970cf6c5397adffc4bda55e87c7466d802fdbaa8bbee5bb47419c5a

Download Submit
C:\Windows\SysWOW64\eakkahoot-exac.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\kxamoad.exe

Filesize
70KB

MD5
c650fb829571a8945baf863ff82a63f4

SHA1
d739dfca07b3d1b09eb69d823d24bd6ae6119778

SHA256
aedc0f3294b061333b3ad66f19ca5aed63d87f78ebedf26cd0911527cee003b6

SHA512
0db69d8192212c3dbbedb55ef34c44df5908b7cfee41723b5acbfb32509ece55f0dcae612f3705b2df7d0cfd67313df9b119cfef830c62bed6721afc9ba9f205

Download Submit
\Windows\SysWOW64\enxotem.exe

Filesize
68KB

MD5
8483c4158fd082b8046b3f248e82e89b

SHA1
67a7cff5a989e5975858e9d8c912c0513078ba04

SHA256
05c24fd46c32fc60c93eed344c7adef908f3131ec36dac532f548b5a659f2822

SHA512
b800e270e5bda32557ac0f2be89d172ed5a582fa4666c0a8e8bc826b62e4e59d91f22f9a3961baaf64d33941f306b286f9f4208fd543d51385b435527f4d871b

Download Submit
memory/1664-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2228-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2440-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads