cfa41188e38a7b48d38e1844ca5f972dcb230b6eaf5a2f08e10950257f5307ed

General

Target

6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
Size

72KB
MD5

6660c56c7a8b7b64e2bd5b829617c050
SHA1

6029c52b635a46501e3ee94ec6526fb64feec394
SHA256

cfa41188e38a7b48d38e1844ca5f972dcb230b6eaf5a2f08e10950257f5307ed
SHA512

5591929d9081bc577bad9545e6ed06eb3a91e0bc84304d49a829ea5c39a756f5caccd9f4ed29677c73b5c58de5fd5a0c49b05ad6b53e69e0164910e1fe632b0f
SSDEEP

768:x/nbDcnZARkcr07JP9Xdg7SV5bWNy1IMakG98N+hayyyOHoW5iKTNGNXft9RxVHY:xDDcIJ0JlXuGEUaWMnHcJOVkr7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ehtoapor-dat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ehtoapor-dat.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ehtoapor-dat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}	ehtoapor-dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\IsInstalled = "1"	ehtoapor-dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\StubPath = "C:\\Windows\\system32\\atbemood-adeas.exe"	ehtoapor-dat.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ehtoapor-dat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ehtoapor-dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\efreasoat.exe"	ehtoapor-dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ehtoapor-dat.exe

Executes dropped EXE 2 IoCs

Processes:

ehtoapor-dat.exeehtoapor-dat.exe

pid process

2036 ehtoapor-dat.exe
1780 ehtoapor-dat.exe
Loads dropped DLL 3 IoCs

Processes:

6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exeehtoapor-dat.exe

pid process

1688 6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
1688 6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
2036 ehtoapor-dat.exe

pid	process
1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
2036	ehtoapor-dat.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ehtoapor-dat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ehtoapor-dat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ehtoapor-dat.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ehtoapor-dat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ehtoapor-dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\easvesig-roas.dll"	ehtoapor-dat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ehtoapor-dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ehtoapor-dat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ehtoapor-dat.exe

Drops file in System32 directory 9 IoCs

Processes:

6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exeehtoapor-dat.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ehtoapor-dat.exe	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\efreasoat.exe	ehtoapor-dat.exe
File opened for modification	C:\Windows\SysWOW64\ehtoapor-dat.exe	ehtoapor-dat.exe
File created	C:\Windows\SysWOW64\ehtoapor-dat.exe	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\efreasoat.exe	ehtoapor-dat.exe
File opened for modification	C:\Windows\SysWOW64\atbemood-adeas.exe	ehtoapor-dat.exe
File created	C:\Windows\SysWOW64\atbemood-adeas.exe	ehtoapor-dat.exe
File opened for modification	C:\Windows\SysWOW64\easvesig-roas.dll	ehtoapor-dat.exe
File created	C:\Windows\SysWOW64\easvesig-roas.dll	ehtoapor-dat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ehtoapor-dat.exeehtoapor-dat.exe

pid	process
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
1780	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe
2036	ehtoapor-dat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ehtoapor-dat.exe

description pid process

Token: SeDebugPrivilege 2036 ehtoapor-dat.exe

description	pid	process
Token: SeDebugPrivilege	2036	ehtoapor-dat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exeehtoapor-dat.exe

description	pid	process	target process
PID 1688 wrote to memory of 2036	1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe	ehtoapor-dat.exe
PID 1688 wrote to memory of 2036	1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe	ehtoapor-dat.exe
PID 1688 wrote to memory of 2036	1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe	ehtoapor-dat.exe
PID 1688 wrote to memory of 2036	1688	6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe	ehtoapor-dat.exe
PID 2036 wrote to memory of 436	2036	ehtoapor-dat.exe	winlogon.exe
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1780	2036	ehtoapor-dat.exe	ehtoapor-dat.exe
PID 2036 wrote to memory of 1780	2036	ehtoapor-dat.exe	ehtoapor-dat.exe
PID 2036 wrote to memory of 1780	2036	ehtoapor-dat.exe	ehtoapor-dat.exe
PID 2036 wrote to memory of 1780	2036	ehtoapor-dat.exe	ehtoapor-dat.exe
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE
PID 2036 wrote to memory of 1380	2036	ehtoapor-dat.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6660c56c7a8b7b64e2bd5b829617c050_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\ehtoapor-dat.exe
"C:\Windows\SysWOW64\ehtoapor-dat.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\ehtoapor-dat.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\atbemood-adeas.exe
Filesize
72KB

MD5
fece9da8c3a22f48f6e25ea5026a16f6

SHA1
f3a6dfd064d5199977c7fe86bd0bbf588759894e

SHA256
3cb05ae973955739785920ad84b8853a8269fc3b17da52237961bf6e9de49081

SHA512
a9252e1997d6dfd11bbc06ee4a9fce9165b8261aa338777656401a4a80c21bc5934ed43e8a61fef50f9a8a26c4f0f28514bef88a8f5dacb82662ad7dbb126702

Download Submit
C:\Windows\SysWOW64\easvesig-roas.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\efreasoat.exe
Filesize
73KB

MD5
c5180e84e720fc5d7bb81e22e4997318

SHA1
947bc1b5ccf6112469cc9907faa982cdfd4d4b7c

SHA256
e54b27648e240940694fa8a70f967519e13ab987b59f35c1e4c22f60fdfbc2bf

SHA512
2fe9b9110db9229f63a2f1e477d5f6e23ddf8f2f7e3fcf7de7e6e7f2dd1b08cc9c5119fd3e56a99d2e6dd22b96ffd65a85e2854789b03f672f5d6c9632b48016

Download Submit
\Windows\SysWOW64\ehtoapor-dat.exe
Filesize
70KB

MD5
9d449571306b93d793ee450e13c0b546

SHA1
948a00cdcf4754e7e1cac83aa0d6b91cbb1ae3e1

SHA256
676945628b5549287f9efe3d47cb93e6207a0b45da126f6fc07472f1ebe6ae4e

SHA512
337ad790765671da28b6387b0e188ba57779e66badfb85254d28d1f95ad6676993cff675c8a2cf7f447dd356d1dea18623aa5cbff926aafa6ff1bc4f0eecb09d

Download Submit
memory/1688-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1780-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2036-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads