6d8360704d68dca9ac1e4d7f7407a872140ebec9a8311cd949c83b354402ea79

General

Target

8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
Size

71KB
MD5

8f2643cef8eb703a1991c5e9845b4f20
SHA1

d3467398bda52547ff6c3cd92becb3c809e48120
SHA256

6d8360704d68dca9ac1e4d7f7407a872140ebec9a8311cd949c83b354402ea79
SHA512

d952965dd0042eafb29ffebe1d504da60bcc3b4b4e3155614048ca33f279395051c12429d97395e85c4168eee80cae42a3f67e0dd61cddfc2befae8dbfe23451
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sl6u:Olg35GTslA5t3/w8Xu

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

epxurir-eacex.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	epxurir-eacex.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

epxurir-eacex.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\IsInstalled = "1"	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\StubPath = "C:\\Windows\\system32\\ugxonob.exe"	epxurir-eacex.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

epxurir-eacex.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\avceadeg.exe"	epxurir-eacex.exe

Executes dropped EXE 2 IoCs

Processes:

epxurir-eacex.exeepxurir-eacex.exe

pid process

2904 epxurir-eacex.exe
1808 epxurir-eacex.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

epxurir-eacex.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	epxurir-eacex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	epxurir-eacex.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

epxurir-eacex.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	epxurir-eacex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eapxoahip-oxex.dll"	epxurir-eacex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	epxurir-eacex.exe

Drops file in System32 directory 9 IoCs

Processes:

8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exeepxurir-eacex.exe

description	ioc	process
File created	C:\Windows\SysWOW64\epxurir-eacex.exe	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\avceadeg.exe	epxurir-eacex.exe
File created	C:\Windows\SysWOW64\ugxonob.exe	epxurir-eacex.exe
File opened for modification	C:\Windows\SysWOW64\eapxoahip-oxex.dll	epxurir-eacex.exe
File created	C:\Windows\SysWOW64\eapxoahip-oxex.dll	epxurir-eacex.exe
File opened for modification	C:\Windows\SysWOW64\epxurir-eacex.exe	epxurir-eacex.exe
File opened for modification	C:\Windows\SysWOW64\epxurir-eacex.exe	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\avceadeg.exe	epxurir-eacex.exe
File opened for modification	C:\Windows\SysWOW64\ugxonob.exe	epxurir-eacex.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

epxurir-eacex.exeepxurir-eacex.exe

pid	process
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
1808	epxurir-eacex.exe
1808	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe
2904	epxurir-eacex.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exeepxurir-eacex.exe

description pid process

Token: SeDebugPrivilege 1112 8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
Token: SeDebugPrivilege 2904 epxurir-eacex.exe

description	pid	process
Token: SeDebugPrivilege	1112	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
Token: SeDebugPrivilege	2904	epxurir-eacex.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exeepxurir-eacex.exe

description	pid	process	target process
PID 1112 wrote to memory of 2904	1112	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe	epxurir-eacex.exe
PID 1112 wrote to memory of 2904	1112	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe	epxurir-eacex.exe
PID 1112 wrote to memory of 2904	1112	8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe	epxurir-eacex.exe
PID 2904 wrote to memory of 1808	2904	epxurir-eacex.exe	epxurir-eacex.exe
PID 2904 wrote to memory of 1808	2904	epxurir-eacex.exe	epxurir-eacex.exe
PID 2904 wrote to memory of 1808	2904	epxurir-eacex.exe	epxurir-eacex.exe
PID 2904 wrote to memory of 612	2904	epxurir-eacex.exe	winlogon.exe
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE
PID 2904 wrote to memory of 3544	2904	epxurir-eacex.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f2643cef8eb703a1991c5e9845b4f20_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\epxurir-eacex.exe
"C:\Windows\system32\epxurir-eacex.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\epxurir-eacex.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\avceadeg.exe
Filesize
74KB

MD5
676fa1a0d3261ed90e61ed300c2bcf6e

SHA1
7c6074bd4966d1430dc2dc8fbbd0c98f6093bdba

SHA256
73004a0e902c57f074d9e065a25713009fed5236285609cf2a5e0d2117c6213d

SHA512
1ad2c6a63e3ce037e2dd2835ddf2192d0fc1788a842cb2dd31621e95ff62e999a5d925a69b258af0328e59d5111d12dbf90fa918daf7cc502fe64130a5515713

Download Submit
C:\Windows\SysWOW64\eapxoahip-oxex.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\epxurir-eacex.exe
Filesize
71KB

MD5
8f2643cef8eb703a1991c5e9845b4f20

SHA1
d3467398bda52547ff6c3cd92becb3c809e48120

SHA256
6d8360704d68dca9ac1e4d7f7407a872140ebec9a8311cd949c83b354402ea79

SHA512
d952965dd0042eafb29ffebe1d504da60bcc3b4b4e3155614048ca33f279395051c12429d97395e85c4168eee80cae42a3f67e0dd61cddfc2befae8dbfe23451

Download Submit
C:\Windows\SysWOW64\ugxonob.exe
Filesize
73KB

MD5
b943468b73c709aa2f96205f6748395a

SHA1
563cf6e3729b8f1db679df58e129ce6686ceaa17

SHA256
725c5bf14d5588b11b0abd6f0a6f9e7068112a367046a7039aaf9594c8f14603

SHA512
275df5963e2374676e58f7f0f8a8480230d7d9810ae7c7d145f2eed627cf745e9ab992c42776c1f7343fc67ac5b862dcf0b172e10f56221d924e565e001209e8

Download Submit
memory/1112-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1808-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2904-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads