a1a8fd4e02e99b90ecba45fb655b97e41f18da54272a9dca8c9252c2862336db

General

Target

6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
Size

72KB
MD5

6f2553f210ed8f1197dce823c8fa2610
SHA1

dd493659d3c6bd2c3c72425bafe500720459fc14
SHA256

a1a8fd4e02e99b90ecba45fb655b97e41f18da54272a9dca8c9252c2862336db
SHA512

0d6b2ece364a5685e55b1c9e656cc0bfa7a6550ae4f456016a27e78655a5ebe41f772a9380ccd287cc2589566acda5456cf13c765efde094f453d6248b61d40b
SSDEEP

1536:xAyToPledgGkAlSt9yzkwUk6Nr5kEHIwA69:3hgRAlStYzkrJNFkEH99

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

osridev.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	osridev.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

osridev.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}	osridev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\IsInstalled = "1"	osridev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\StubPath = "C:\\Windows\\system32\\agduream-cooc.exe"	osridev.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

osridev.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	osridev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eavvoatead.exe"	osridev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	osridev.exe

Executes dropped EXE 2 IoCs

Processes:

osridev.exeosridev.exe

pid process

2184 osridev.exe
2380 osridev.exe
Loads dropped DLL 3 IoCs

Processes:

6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exeosridev.exe

pid process

2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
2184 osridev.exe

pid	process
2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
2184	osridev.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

osridev.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	osridev.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	osridev.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

osridev.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eahgotem-itac.dll"	osridev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	osridev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	osridev.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	osridev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	osridev.exe

Drops file in System32 directory 9 IoCs

Processes:

osridev.exe6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\eavvoatead.exe	osridev.exe
File created	C:\Windows\SysWOW64\eavvoatead.exe	osridev.exe
File opened for modification	C:\Windows\SysWOW64\agduream-cooc.exe	osridev.exe
File created	C:\Windows\SysWOW64\eahgotem-itac.dll	osridev.exe
File opened for modification	C:\Windows\SysWOW64\osridev.exe	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\osridev.exe	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\agduream-cooc.exe	osridev.exe
File opened for modification	C:\Windows\SysWOW64\eahgotem-itac.dll	osridev.exe
File opened for modification	C:\Windows\SysWOW64\osridev.exe	osridev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

osridev.exeosridev.exe

pid	process
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2380	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe
2184	osridev.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

osridev.exe

description pid process

Token: SeDebugPrivilege 2184 osridev.exe

description	pid	process
Token: SeDebugPrivilege	2184	osridev.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exeosridev.exe

description	pid	process	target process
PID 2432 wrote to memory of 2184	2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe	osridev.exe
PID 2432 wrote to memory of 2184	2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe	osridev.exe
PID 2432 wrote to memory of 2184	2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe	osridev.exe
PID 2432 wrote to memory of 2184	2432	6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe	osridev.exe
PID 2184 wrote to memory of 432	2184	osridev.exe	winlogon.exe
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 2380	2184	osridev.exe	osridev.exe
PID 2184 wrote to memory of 2380	2184	osridev.exe	osridev.exe
PID 2184 wrote to memory of 2380	2184	osridev.exe	osridev.exe
PID 2184 wrote to memory of 2380	2184	osridev.exe	osridev.exe
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE
PID 2184 wrote to memory of 1208	2184	osridev.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\osridev.exe
"C:\Windows\SysWOW64\osridev.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\osridev.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\agduream-cooc.exe
Filesize
72KB

MD5
2fcf07608d6698a3b20b89ccc4983875

SHA1
a24eed1378c89ad74f6058437edd60514dfd8d39

SHA256
51ed5f8e3f7d4a71b249f803d0e23f086347a0b87a72f71add98198d86ded5bf

SHA512
0a2bcf2e6b9e9678de946c23da0076b58721f6f24b38142fb59a876b7c475298aae11adfa42621a6ff249bc3c22d94d6ee3d28d2a5f64a27a6bc26a179f59faf

Download Submit
C:\Windows\SysWOW64\eahgotem-itac.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\eavvoatead.exe
Filesize
73KB

MD5
62be2825f9b50811b32cf33752888b53

SHA1
8a8fc6d2aee27766dd04c89692707ee3e17312e4

SHA256
f2901cef8547131a9a7b12a4ca4f07fa7295a92e62faf6c84931d6c6aae0371a

SHA512
5b2df29c37b221fe6a83320c349d017436f9538ae75d5b88e0261106f2d44f95d64390ca5b259bb31106549c9564a894dc0c336fd6e81164eb9ecc66056ba3dc

Download Submit
\Windows\SysWOW64\osridev.exe
Filesize
70KB

MD5
a6ecfcac40acf05f0792752f5b8ed694

SHA1
3bd5d0d0d5c92b8cb9f999b1a341005d04cce95c

SHA256
3e33dec04c9b7f01b83b1f6e8b19897b9c300db500e88cfad0a19b4ae6aedbb2

SHA512
79457cac4bba237cfc796202d4594f84b5e44a3684fd90866a012b79ed07dc0a96f415b696730f24c9e5191e8a39e224f3b924d44c555bfdb4c5fdd5474a4bb7

Download Submit
memory/2184-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2380-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2432-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads