63d2f8129634390f5de6754899f61e3f1c4f8e1d8cdaf3beb6f3e32414e1d247

General

Target

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
Size

72KB
MD5

14d3cd8f81d800d5015b90022f765a40
SHA1

1b765e3f0da75fb04ee5824b8aea9443ae665393
SHA256

63d2f8129634390f5de6754899f61e3f1c4f8e1d8cdaf3beb6f3e32414e1d247
SHA512

cd14c8a63157269b6fd491512f30c6ad4f7795a18afd865db0548d5aa11f759d830c91257b106e501b17b083d2423d2fa1415af2ba855b443ddbd424eda921ba
SSDEEP

1536:xA80j8XBulvaVEm+odQpNjoCj2HileSpnt7xQaZUnCZgKQQPu:S8qD96xdKoCj2HioSpnt7xQaZUPQ2

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eaknufum.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\IsInstalled = "1"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55485251-4b4a-4350-5548-52514B4A4350}\StubPath = "C:\\Windows\\system32\\idsanoat.exe"	eaknufum.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\alxoogum.exe"	eaknufum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	eaknufum.exe

Executes dropped EXE 2 IoCs

Processes:

eaknufum.exeeaknufum.exe

pid process

2476 eaknufum.exe
2700 eaknufum.exe
Loads dropped DLL 3 IoCs

Processes:

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exeeaknufum.exe

pid process

2184 14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
2184 14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
2476 eaknufum.exe

pid	process
2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
2476	eaknufum.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eaknufum.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubmivob-com.dll"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	eaknufum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	eaknufum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	eaknufum.exe

Drops file in System32 directory 9 IoCs

Processes:

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exeeaknufum.exe

description	ioc	process
File created	C:\Windows\SysWOW64\eaknufum.exe	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\alxoogum.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\alxoogum.exe	eaknufum.exe
File opened for modification	C:\Windows\SysWOW64\ubmivob-com.dll	eaknufum.exe
File created	C:\Windows\SysWOW64\ubmivob-com.dll	eaknufum.exe
File opened for modification	C:\Windows\SysWOW64\eaknufum.exe	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\idsanoat.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\idsanoat.exe	eaknufum.exe
File opened for modification	C:\Windows\SysWOW64\eaknufum.exe	eaknufum.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eaknufum.exeeaknufum.exe

pid	process
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2700	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe
2476	eaknufum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eaknufum.exe

description pid process

Token: SeDebugPrivilege 2476 eaknufum.exe

description	pid	process
Token: SeDebugPrivilege	2476	eaknufum.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exeeaknufum.exe

description	pid	process	target process
PID 2184 wrote to memory of 2476	2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 2184 wrote to memory of 2476	2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 2184 wrote to memory of 2476	2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 2184 wrote to memory of 2476	2184	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 2476 wrote to memory of 428	2476	eaknufum.exe	winlogon.exe
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 2700	2476	eaknufum.exe	eaknufum.exe
PID 2476 wrote to memory of 2700	2476	eaknufum.exe	eaknufum.exe
PID 2476 wrote to memory of 2700	2476	eaknufum.exe	eaknufum.exe
PID 2476 wrote to memory of 2700	2476	eaknufum.exe	eaknufum.exe
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE
PID 2476 wrote to memory of 1200	2476	eaknufum.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\eaknufum.exe
"C:\Windows\SysWOW64\eaknufum.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\eaknufum.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\alxoogum.exe
Filesize
73KB

MD5
8813a446adeb89d4b75c253aa29a10a3

SHA1
df70da76c110d3a1f1015dbbeffbc39d633cb801

SHA256
fe2992f3c745ce207b2de857247a49398cbd1f973dde361124940dcbb96ebd37

SHA512
17abf37368c59ab992f1f209c922ff5343d02f859638f1adb3f12b46eb63b41cc6dbeda96537ae180f31cf23b5642e51cee5f0421e523a024e1e6257cbbcd34d

Download Submit
C:\Windows\SysWOW64\idsanoat.exe
Filesize
72KB

MD5
dd2811e6670914fec3ab6558f99f82f2

SHA1
a0a8df6640f94a1b25a057ef49b1bd20a81a6d5a

SHA256
42beea37d1ec66415fb11fbe499c1d1ae427cdcb97c3164f6ec89fdb1531f37d

SHA512
bd98c99715dde0c6405db54ae9b436537fc16aafa73a0f9171a317ccde7897c5f8ac8dee0f215898db401efa51c55e8da83f41415e2c36fbeb9243cc166baa2d

Download Submit
C:\Windows\SysWOW64\ubmivob-com.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
\Windows\SysWOW64\eaknufum.exe
Filesize
70KB

MD5
e6f586fbc4b799cae41b2e2c20b39349

SHA1
fb72489ba74419d8de3a0e8a6402968cce6bbb68

SHA256
924054aed9559da00fcdff46d0aeb94025329d6e09b813055fb4e00e66b7b7c8

SHA512
92ab3b874a41d2aeda3be55bc20f6741007df63725241096f7954cd00f16b63df30284cedbf30c52e719934caedf1597ef98400ba0c028e8d416d31d218f6e21

Download Submit
memory/2184-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2476-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2700-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads