dc6db045478c635861fe762b9d7f9bde48564965625beb4d8a0f6abf0778daab

General

Target

7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
Size

70KB
MD5

7a54836cc430534df4d5121d1ddfff70
SHA1

330b3b8c90e3acfa96d8f4ec252676f907fb36ff
SHA256

dc6db045478c635861fe762b9d7f9bde48564965625beb4d8a0f6abf0778daab
SHA512

6052af5e925ddaf765836a4650d7f676c731082bf90e7b190b8358d4cf4c7f43135f339a6053a7e6f94d6e9feff4dc55e77b1952f673e1f5bfe26010605d5336
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sl1Y:Olg35GTslA5t3/w8b

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ekroomoax.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ekroomoax.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ekroomoax.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\IsInstalled = "1"	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\StubPath = "C:\\Windows\\system32\\eafxutoan.exe"	ekroomoax.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ekroomoax.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\itxedoox.exe"	ekroomoax.exe

Executes dropped EXE 2 IoCs

Processes:

ekroomoax.exeekroomoax.exe

pid process

2268 ekroomoax.exe
4884 ekroomoax.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ekroomoax.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ekroomoax.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ekroomoax.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ekroomoax.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oumxifud-umix.dll"	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ekroomoax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ekroomoax.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ekroomoax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ekroomoax.exe

Drops file in System32 directory 9 IoCs

Processes:

7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ekroomoax.exe	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\itxedoox.exe	ekroomoax.exe
File created	C:\Windows\SysWOW64\itxedoox.exe	ekroomoax.exe
File opened for modification	C:\Windows\SysWOW64\eafxutoan.exe	ekroomoax.exe
File created	C:\Windows\SysWOW64\eafxutoan.exe	ekroomoax.exe
File created	C:\Windows\SysWOW64\oumxifud-umix.dll	ekroomoax.exe
File created	C:\Windows\SysWOW64\ekroomoax.exe	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\oumxifud-umix.dll	ekroomoax.exe
File opened for modification	C:\Windows\SysWOW64\ekroomoax.exe	ekroomoax.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ekroomoax.exeekroomoax.exe

pid	process
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
4884	ekroomoax.exe
4884	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe
2268	ekroomoax.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exe

description pid process

Token: SeDebugPrivilege 3544 7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
Token: SeDebugPrivilege 2268 ekroomoax.exe

description	pid	process
Token: SeDebugPrivilege	3544	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
Token: SeDebugPrivilege	2268	ekroomoax.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exeekroomoax.exe

description	pid	process	target process
PID 3544 wrote to memory of 2268	3544	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe	ekroomoax.exe
PID 3544 wrote to memory of 2268	3544	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe	ekroomoax.exe
PID 3544 wrote to memory of 2268	3544	7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe	ekroomoax.exe
PID 2268 wrote to memory of 604	2268	ekroomoax.exe	winlogon.exe
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 4884	2268	ekroomoax.exe	ekroomoax.exe
PID 2268 wrote to memory of 4884	2268	ekroomoax.exe	ekroomoax.exe
PID 2268 wrote to memory of 4884	2268	ekroomoax.exe	ekroomoax.exe
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE
PID 2268 wrote to memory of 3472	2268	ekroomoax.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a54836cc430534df4d5121d1ddfff70_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544

C:\Windows\SysWOW64\ekroomoax.exe
"C:\Windows\system32\ekroomoax.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\ekroomoax.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eafxutoan.exe
Filesize
72KB

MD5
b19fda774cd284f4dc628c4594b83623

SHA1
aba7580e460aa7abfa8db5642a67293e40a39141

SHA256
70f20f7cebcf8f1921018091705c911e7dbfd937736378ddff57b53fb56b96d9

SHA512
f703fff1b2a86ede3b424f08d1d65878d817a42cf689d38d0f20cc909daee94aabbb7d56cd47fb98157e78f268e38ed56ec18e22e3259375a409f048e0e7555f

Download Submit
C:\Windows\SysWOW64\ekroomoax.exe
Filesize
70KB

MD5
7a54836cc430534df4d5121d1ddfff70

SHA1
330b3b8c90e3acfa96d8f4ec252676f907fb36ff

SHA256
dc6db045478c635861fe762b9d7f9bde48564965625beb4d8a0f6abf0778daab

SHA512
6052af5e925ddaf765836a4650d7f676c731082bf90e7b190b8358d4cf4c7f43135f339a6053a7e6f94d6e9feff4dc55e77b1952f673e1f5bfe26010605d5336

Download Submit
C:\Windows\SysWOW64\itxedoox.exe
Filesize
73KB

MD5
e9b37885c830f1cdd94806eb5a8db6be

SHA1
c1aa2cccf463a44c44bb7aac20d487b274bf69fb

SHA256
6136c287c4b4d2136a79fda0ee66b0d32d15bc157eb2d2f6788d7e31ab25cc5a

SHA512
25d55d3a0928c3ddbfdbf0967183d9813e4f8602d140bc6d03691b3a6dbc8a118196862ea3dcd05dd86b42c5ca846199d541c5ff450ab864d212cafe37c4fdd3

Download Submit
C:\Windows\SysWOW64\oumxifud-umix.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
memory/2268-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3544-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4884-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads