ec93471314c0a3ee415db05f9f9128577499ba00bfb71e401c6da5909893ae4d

General

Target

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
Size

72KB
MD5

82575a60bad9302a4a572c0e99236690
SHA1

0994bef1618838a8503def2ea3030876858c5f16
SHA256

ec93471314c0a3ee415db05f9f9128577499ba00bfb71e401c6da5909893ae4d
SHA512

fe29be4229b9493a7de26f662ec1ed0ecba1a36459e9391c7c99e2bdcda65d84f9788e8220fd4538f167071ba4e0499ea7795d10513151666fa20421826edcfb
SSDEEP

768:x/nEuhThEUAvMgvvd9WhTOng8X6m2AYS1rg1YJZLIgwRdPxCdYLndQxzGp5hhJyQ:xs0evMm+tgg1XS181xbGgdjhh9ZoPbLo

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	adfoacat.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\IsInstalled = "1"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\StubPath = "C:\\Windows\\system32\\ucgooteam-gum.exe"	adfoacat.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouxnetoar-hor.exe"	adfoacat.exe

Executes dropped EXE 2 IoCs

Processes:

adfoacat.exeadfoacat.exe

pid process

2900 adfoacat.exe
2944 adfoacat.exe
Loads dropped DLL 3 IoCs

Processes:

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exeadfoacat.exe

pid process

1708 82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
1708 82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
2900 adfoacat.exe

pid	process
1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
2900	adfoacat.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	adfoacat.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	adfoacat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\utgobip.dll"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	adfoacat.exe

Drops file in System32 directory 9 IoCs

Processes:

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exeadfoacat.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\adfoacat.exe	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ucgooteam-gum.exe	adfoacat.exe
File created	C:\Windows\SysWOW64\ucgooteam-gum.exe	adfoacat.exe
File created	C:\Windows\SysWOW64\adfoacat.exe	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ouxnetoar-hor.exe	adfoacat.exe
File created	C:\Windows\SysWOW64\ouxnetoar-hor.exe	adfoacat.exe
File opened for modification	C:\Windows\SysWOW64\utgobip.dll	adfoacat.exe
File created	C:\Windows\SysWOW64\utgobip.dll	adfoacat.exe
File opened for modification	C:\Windows\SysWOW64\adfoacat.exe	adfoacat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

adfoacat.exeadfoacat.exe

pid	process
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2944	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe
2900	adfoacat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

adfoacat.exe

description pid process

Token: SeDebugPrivilege 2900 adfoacat.exe

description	pid	process
Token: SeDebugPrivilege	2900	adfoacat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exeadfoacat.exe

description	pid	process	target process
PID 1708 wrote to memory of 2900	1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 1708 wrote to memory of 2900	1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 1708 wrote to memory of 2900	1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 1708 wrote to memory of 2900	1708	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 2900 wrote to memory of 420	2900	adfoacat.exe	winlogon.exe
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 2944	2900	adfoacat.exe	adfoacat.exe
PID 2900 wrote to memory of 2944	2900	adfoacat.exe	adfoacat.exe
PID 2900 wrote to memory of 2944	2900	adfoacat.exe	adfoacat.exe
PID 2900 wrote to memory of 2944	2900	adfoacat.exe	adfoacat.exe
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE
PID 2900 wrote to memory of 1256	2900	adfoacat.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\adfoacat.exe
"C:\Windows\SysWOW64\adfoacat.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\adfoacat.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ouxnetoar-hor.exe
Filesize
73KB

MD5
e8c4bc9928a194fec65862047097dea2

SHA1
ffb1c2d78fbc1daa100204f8eaf8d6ec88c27d44

SHA256
4848b2120ca82fd99c270d88c24511d36f77d2266ccd14ba2c2dd305bebb6299

SHA512
d9d522e8c591eacc81b7893dd74107443bb935bdf66c80d1a278fab9f77b3dbacd03e9e819b5d2f81bf56e51bb720b7f3b230577b7025be9edf4e5bee6b20588

Download Submit
C:\Windows\SysWOW64\ucgooteam-gum.exe
Filesize
72KB

MD5
9f02d1a1197a46a1dcf9eb9eb7358712

SHA1
61b80fc176c92a4a7d7076e314f0e671455c74b0

SHA256
4eda3183f05f8ccff3350dc78eab7bb248b305b3bbd42baf2716fa37d2d51367

SHA512
1a187ab4dee664d617edccaf4888e4371353ff90c943f0a816daa9b653b8c6a4fd02ce95678d7837a79ebdeff844c9f2ca83c1651b0d79abc757a66a60a38cfd

Download Submit
C:\Windows\SysWOW64\utgobip.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
\Windows\SysWOW64\adfoacat.exe
Filesize
70KB

MD5
16a66c3dad9626e527a4e32f69d0b2af

SHA1
1efbef97e055f8528bc7045f9c3f3245efe68ed9

SHA256
81b4c0f35a8f60964584483985799dc1d19519ec123d0fbe29739aecf513816e

SHA512
34bc6191944225912b03511b6ba26c493188d2783fda0027f586e7d6080d48a62387781be4f70380e94e429e097adb6fa85ba5f2b655688e68826781aff88a63

Download Submit
memory/1708-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2900-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2944-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads