63d2f8129634390f5de6754899f61e3f1c4f8e1d8cdaf3beb6f3e32414e1d247

General

Target

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
Size

72KB
MD5

14d3cd8f81d800d5015b90022f765a40
SHA1

1b765e3f0da75fb04ee5824b8aea9443ae665393
SHA256

63d2f8129634390f5de6754899f61e3f1c4f8e1d8cdaf3beb6f3e32414e1d247
SHA512

cd14c8a63157269b6fd491512f30c6ad4f7795a18afd865db0548d5aa11f759d830c91257b106e501b17b083d2423d2fa1415af2ba855b443ddbd424eda921ba
SSDEEP

1536:xA80j8XBulvaVEm+odQpNjoCj2HileSpnt7xQaZUnCZgKQQPu:S8qD96xdKoCj2HioSpnt7xQaZUPQ2

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eaknufum.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\IsInstalled = "1"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\StubPath = "C:\\Windows\\system32\\idsanoat.exe"	eaknufum.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\alxoogum.exe"	eaknufum.exe

Executes dropped EXE 2 IoCs

Processes:

eaknufum.exeeaknufum.exe

pid process

1316 eaknufum.exe
740 eaknufum.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eaknufum.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eaknufum.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

eaknufum.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	eaknufum.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ubmivob-com.dll"	eaknufum.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	eaknufum.exe

Drops file in System32 directory 9 IoCs

Processes:

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exeeaknufum.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\eaknufum.exe	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\idsanoat.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\idsanoat.exe	eaknufum.exe
File opened for modification	C:\Windows\SysWOW64\ubmivob-com.dll	eaknufum.exe
File opened for modification	C:\Windows\SysWOW64\eaknufum.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\eaknufum.exe	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\alxoogum.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\alxoogum.exe	eaknufum.exe
File created	C:\Windows\SysWOW64\ubmivob-com.dll	eaknufum.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eaknufum.exeeaknufum.exe

pid	process
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
740	eaknufum.exe
740	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe
1316	eaknufum.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

eaknufum.exe

description pid process

Token: SeDebugPrivilege 1316 eaknufum.exe

description	pid	process
Token: SeDebugPrivilege	1316	eaknufum.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exeeaknufum.exe

description	pid	process	target process
PID 4228 wrote to memory of 1316	4228	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 4228 wrote to memory of 1316	4228	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 4228 wrote to memory of 1316	4228	14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe	eaknufum.exe
PID 1316 wrote to memory of 608	1316	eaknufum.exe	winlogon.exe
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 740	1316	eaknufum.exe	eaknufum.exe
PID 1316 wrote to memory of 740	1316	eaknufum.exe	eaknufum.exe
PID 1316 wrote to memory of 740	1316	eaknufum.exe	eaknufum.exe
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE
PID 1316 wrote to memory of 3440	1316	eaknufum.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14d3cd8f81d800d5015b90022f765a40_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\eaknufum.exe
"C:\Windows\SysWOW64\eaknufum.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\eaknufum.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\alxoogum.exe
Filesize
73KB

MD5
28ab8cda92b0a8520bfd6d270d23ff48

SHA1
2e09a7eaab56400547e29dd68d200b1f83d377c6

SHA256
b3ae115e2c02ab327b0a4aa537204d12eac7375a6dd22587d36827b9ddb9b58a

SHA512
47d256b24f7039f3b1a4fd6928e716e1dde90b40a364a924fef3a1ef1fd54b17627c61ac40de1f03cef0a6a08a2a32bc33f7a01f41d997d3d1f0fc7ef5d2df7f

Download Submit
C:\Windows\SysWOW64\eaknufum.exe
Filesize
70KB

MD5
e6f586fbc4b799cae41b2e2c20b39349

SHA1
fb72489ba74419d8de3a0e8a6402968cce6bbb68

SHA256
924054aed9559da00fcdff46d0aeb94025329d6e09b813055fb4e00e66b7b7c8

SHA512
92ab3b874a41d2aeda3be55bc20f6741007df63725241096f7954cd00f16b63df30284cedbf30c52e719934caedf1597ef98400ba0c028e8d416d31d218f6e21

Download Submit
C:\Windows\SysWOW64\idsanoat.exe
Filesize
72KB

MD5
0641500815346bcae64946c20078dc97

SHA1
ac65b26d15641454a2816643cc3af39b26f32a71

SHA256
6f9a15565627ccf10852d2ee988e58daddbe0944d4480d204e5b77b5a0b566ac

SHA512
832f3ab6e8cd3106237ca1515b948aa309fa95d6444279a044e119edbee0926c4c68cb6863afca6a552f23fb58f59a9add5eee3f0c109d6657be3548c4f4e0c0

Download Submit
C:\Windows\SysWOW64\ubmivob-com.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
memory/740-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1316-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4228-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads