Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
-
Size
70KB
-
MD5
7a54836cc430534df4d5121d1ddfff70
-
SHA1
330b3b8c90e3acfa96d8f4ec252676f907fb36ff
-
SHA256
dc6db045478c635861fe762b9d7f9bde48564965625beb4d8a0f6abf0778daab
-
SHA512
6052af5e925ddaf765836a4650d7f676c731082bf90e7b190b8358d4cf4c7f43135f339a6053a7e6f94d6e9feff4dc55e77b1952f673e1f5bfe26010605d5336
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sl1Y:Olg35GTslA5t3/w8b
Malware Config
Signatures
-
Processes:
ekroomoax.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ekroomoax.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
ekroomoax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" ekroomoax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\eafxutoan.exe" ekroomoax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} ekroomoax.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
Processes:
ekroomoax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\itxedoox.exe" ekroomoax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ekroomoax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ekroomoax.exe -
Executes dropped EXE 2 IoCs
Processes:
ekroomoax.exeekroomoax.exepid process 2956 ekroomoax.exe 2528 ekroomoax.exe -
Loads dropped DLL 3 IoCs
Processes:
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exepid process 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe 2956 ekroomoax.exe -
Processes:
ekroomoax.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ekroomoax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ekroomoax.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
ekroomoax.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ekroomoax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ekroomoax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumxifud-umix.dll" ekroomoax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ekroomoax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ekroomoax.exe -
Drops file in System32 directory 9 IoCs
Processes:
ekroomoax.exe7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\eafxutoan.exe ekroomoax.exe File opened for modification C:\Windows\SysWOW64\oumxifud-umix.dll ekroomoax.exe File opened for modification C:\Windows\SysWOW64\ekroomoax.exe ekroomoax.exe File opened for modification C:\Windows\SysWOW64\ekroomoax.exe 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ekroomoax.exe 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\itxedoox.exe ekroomoax.exe File created C:\Windows\SysWOW64\itxedoox.exe ekroomoax.exe File opened for modification C:\Windows\SysWOW64\eafxutoan.exe ekroomoax.exe File created C:\Windows\SysWOW64\oumxifud-umix.dll ekroomoax.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ekroomoax.exeekroomoax.exepid process 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2528 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe 2956 ekroomoax.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exedescription pid process Token: SeDebugPrivilege 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe Token: SeDebugPrivilege 2956 ekroomoax.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exedescription pid process target process PID 1028 wrote to memory of 2956 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe ekroomoax.exe PID 1028 wrote to memory of 2956 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe ekroomoax.exe PID 1028 wrote to memory of 2956 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe ekroomoax.exe PID 1028 wrote to memory of 2956 1028 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe ekroomoax.exe PID 2956 wrote to memory of 436 2956 ekroomoax.exe winlogon.exe PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 2528 2956 ekroomoax.exe ekroomoax.exe PID 2956 wrote to memory of 2528 2956 ekroomoax.exe ekroomoax.exe PID 2956 wrote to memory of 2528 2956 ekroomoax.exe ekroomoax.exe PID 2956 wrote to memory of 2528 2956 ekroomoax.exe ekroomoax.exe PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE PID 2956 wrote to memory of 1152 2956 ekroomoax.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ekroomoax.exe"C:\Windows\system32\ekroomoax.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ekroomoax.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\eafxutoan.exeFilesize
72KB
MD5ca84d272d0c97125fab24e4ca9b7217f
SHA144e53e800ac0c55242b593e9c026240a5dd32da7
SHA256b291a7acb6bb53dc0a2df8f1e6bd167fc5333ffb06f8636da2bb767c36e84e31
SHA512622820d2905ce1aad6b981b999df5b05c29374202269bca0bbc3ba8260944e54cb83db2dac56ba25e199d5d15f45746e45b783a62b9b6692e027c0a6341dbb6b
-
C:\Windows\SysWOW64\itxedoox.exeFilesize
73KB
MD5ede04cce7fec97a100d29aa3690ac052
SHA1f19afdb1cc4e000506474d9f4155eaf855cb0680
SHA256b131649ccbd21ad91f82b8f73914a4bb6597deb1385d9e8a1a948ccc812a3f7f
SHA512db53cdf4a4cb5f01a4554c8b94b4d2b4e86828c6c59035aae79d5eca79d68c6d0ad045bfee4b906f991bd9bd5d09029d0328475ae6c215020b1dc22444b4897e
-
C:\Windows\SysWOW64\oumxifud-umix.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
\Windows\SysWOW64\ekroomoax.exeFilesize
70KB
MD57a54836cc430534df4d5121d1ddfff70
SHA1330b3b8c90e3acfa96d8f4ec252676f907fb36ff
SHA256dc6db045478c635861fe762b9d7f9bde48564965625beb4d8a0f6abf0778daab
SHA5126052af5e925ddaf765836a4650d7f676c731082bf90e7b190b8358d4cf4c7f43135f339a6053a7e6f94d6e9feff4dc55e77b1952f673e1f5bfe26010605d5336
-
memory/1028-9-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2528-56-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2956-55-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB