ec93471314c0a3ee415db05f9f9128577499ba00bfb71e401c6da5909893ae4d

General

Target

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
Size

72KB
MD5

82575a60bad9302a4a572c0e99236690
SHA1

0994bef1618838a8503def2ea3030876858c5f16
SHA256

ec93471314c0a3ee415db05f9f9128577499ba00bfb71e401c6da5909893ae4d
SHA512

fe29be4229b9493a7de26f662ec1ed0ecba1a36459e9391c7c99e2bdcda65d84f9788e8220fd4538f167071ba4e0499ea7795d10513151666fa20421826edcfb
SSDEEP

768:x/nEuhThEUAvMgvvd9WhTOng8X6m2AYS1rg1YJZLIgwRdPxCdYLndQxzGp5hhJyQ:xs0evMm+tgg1XS181xbGgdjhh9ZoPbLo

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	adfoacat.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\StubPath = "C:\\Windows\\system32\\ucgooteam-gum.exe"	adfoacat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E515054-544d-524d-4E51-5054544D524d}\IsInstalled = "1"	adfoacat.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouxnetoar-hor.exe"	adfoacat.exe

Executes dropped EXE 2 IoCs

Processes:

adfoacat.exeadfoacat.exe

pid process

4996 adfoacat.exe
1296 adfoacat.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	adfoacat.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	adfoacat.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

adfoacat.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	adfoacat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\utgobip.dll"	adfoacat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	adfoacat.exe

Drops file in System32 directory 9 IoCs

Processes:

adfoacat.exe82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ucgooteam-gum.exe	adfoacat.exe
File created	C:\Windows\SysWOW64\ucgooteam-gum.exe	adfoacat.exe
File opened for modification	C:\Windows\SysWOW64\utgobip.dll	adfoacat.exe
File created	C:\Windows\SysWOW64\utgobip.dll	adfoacat.exe
File opened for modification	C:\Windows\SysWOW64\adfoacat.exe	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\adfoacat.exe	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ouxnetoar-hor.exe	adfoacat.exe
File created	C:\Windows\SysWOW64\ouxnetoar-hor.exe	adfoacat.exe
File opened for modification	C:\Windows\SysWOW64\adfoacat.exe	adfoacat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

adfoacat.exeadfoacat.exe

pid	process
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
1296	adfoacat.exe
1296	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe
4996	adfoacat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

adfoacat.exe

description pid process

Token: SeDebugPrivilege 4996 adfoacat.exe

description	pid	process
Token: SeDebugPrivilege	4996	adfoacat.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exeadfoacat.exe

description	pid	process	target process
PID 1888 wrote to memory of 4996	1888	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 1888 wrote to memory of 4996	1888	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 1888 wrote to memory of 4996	1888	82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe	adfoacat.exe
PID 4996 wrote to memory of 616	4996	adfoacat.exe	winlogon.exe
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 1296	4996	adfoacat.exe	adfoacat.exe
PID 4996 wrote to memory of 1296	4996	adfoacat.exe	adfoacat.exe
PID 4996 wrote to memory of 1296	4996	adfoacat.exe	adfoacat.exe
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE
PID 4996 wrote to memory of 3424	4996	adfoacat.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82575a60bad9302a4a572c0e99236690_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\adfoacat.exe
"C:\Windows\SysWOW64\adfoacat.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\adfoacat.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adfoacat.exe
Filesize
70KB

MD5
16a66c3dad9626e527a4e32f69d0b2af

SHA1
1efbef97e055f8528bc7045f9c3f3245efe68ed9

SHA256
81b4c0f35a8f60964584483985799dc1d19519ec123d0fbe29739aecf513816e

SHA512
34bc6191944225912b03511b6ba26c493188d2783fda0027f586e7d6080d48a62387781be4f70380e94e429e097adb6fa85ba5f2b655688e68826781aff88a63

Download Submit
C:\Windows\SysWOW64\ouxnetoar-hor.exe
Filesize
73KB

MD5
f2a463b4a9aa57dbfceafdb85ada273f

SHA1
97316c20ad67a210f11ea1faa96d9b9ea5ebdfee

SHA256
e64e11421f067747b8d446b06f997b800a2f40b09d176b1c5aa1c39d66c24217

SHA512
57809ca31f91e0359e3697e21bedec9c769c55fb8dac4b4c9baf58459cabf5f2eaf41a6bd2d73ac278b84130ea9cc7799f37a796b7d5f4659f4c0887aa886f14

Download Submit
C:\Windows\SysWOW64\ucgooteam-gum.exe
Filesize
72KB

MD5
5d407bc5aa152eb265286ddc671d70b0

SHA1
600edf66112bc30dc78ce4f8b712923711b57012

SHA256
a529973e56af5ded948cf96ca4a01fd908c238fc12c3542cef85f4da46e76ed8

SHA512
60381f8a20779f1718285629fd8173175d744c0668f79d2d06e1d839f4deaf3de1be08dcd8a0df91b36ba16a6036f2f0a8a78c95728d9de6cf5066989bbd09af

Download Submit
C:\Windows\SysWOW64\utgobip.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
memory/1296-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1888-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4996-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads