885295b4ae7dec735e28bf4347224844d5f57e08e758302e189ef80f2b203d8c

General

Target

e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
Size

68KB
MD5

e7f3d42975ea5294d51d31f92f983c70
SHA1

80f215e749df38a358999a0a723237d185eb7fe3
SHA256

885295b4ae7dec735e28bf4347224844d5f57e08e758302e189ef80f2b203d8c
SHA512

cd53c4681355b520ea92c8bc600f84f6ac94540a8841e98c89aee267e1fb5a6efebb513742884234cc9b22724a453ad16c70848b202e118f257f81f9da29340d
SSDEEP

1536:1teqGDlXvCDB04f5Gn/L8ZlALNtnd1Fwg8:6lg35GTclABtnNwd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ottoopuk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ottoopuk.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ottoopuk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\IsInstalled = "1"	ottoopuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}\StubPath = "C:\\Windows\\system32\\eatdodar.exe"	ottoopuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F41494C-5643-4e59-4F41-494C56434e59}	ottoopuk.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ottoopuk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ottoopuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ottoopuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\efreamet.exe"	ottoopuk.exe

Executes dropped EXE 2 IoCs

Processes:

ottoopuk.exeottoopuk.exe

pid process

3272 ottoopuk.exe
4676 ottoopuk.exe

pid	process
3272	ottoopuk.exe
4676	ottoopuk.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ottoopuk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ottoopuk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ottoopuk.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ottoopuk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ottoopuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ottoopuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ottoopuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ottoopuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ochanap.dll"	ottoopuk.exe

Drops file in System32 directory 9 IoCs

Processes:

e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exeottoopuk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ottoopuk.exe	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\efreamet.exe	ottoopuk.exe
File opened for modification	C:\Windows\SysWOW64\eatdodar.exe	ottoopuk.exe
File created	C:\Windows\SysWOW64\ochanap.dll	ottoopuk.exe
File created	C:\Windows\SysWOW64\ottoopuk.exe	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\efreamet.exe	ottoopuk.exe
File created	C:\Windows\SysWOW64\eatdodar.exe	ottoopuk.exe
File opened for modification	C:\Windows\SysWOW64\ochanap.dll	ottoopuk.exe
File opened for modification	C:\Windows\SysWOW64\ottoopuk.exe	ottoopuk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ottoopuk.exeottoopuk.exe

pid	process
4676	ottoopuk.exe
4676	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe
3272	ottoopuk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exeottoopuk.exe

description pid process

Token: SeDebugPrivilege 1600 e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
Token: SeDebugPrivilege 3272 ottoopuk.exe

description	pid	process
Token: SeDebugPrivilege	1600	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
Token: SeDebugPrivilege	3272	ottoopuk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exeottoopuk.exe

description	pid	process	target process
PID 1600 wrote to memory of 3272	1600	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe	ottoopuk.exe
PID 1600 wrote to memory of 3272	1600	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe	ottoopuk.exe
PID 1600 wrote to memory of 3272	1600	e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe	ottoopuk.exe
PID 3272 wrote to memory of 4676	3272	ottoopuk.exe	ottoopuk.exe
PID 3272 wrote to memory of 4676	3272	ottoopuk.exe	ottoopuk.exe
PID 3272 wrote to memory of 4676	3272	ottoopuk.exe	ottoopuk.exe
PID 3272 wrote to memory of 612	3272	ottoopuk.exe	winlogon.exe
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE
PID 3272 wrote to memory of 3348	3272	ottoopuk.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e7f3d42975ea5294d51d31f92f983c70_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\ottoopuk.exe
"C:\Windows\system32\ottoopuk.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\ottoopuk.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5244 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eatdodar.exe
Filesize
70KB

MD5
be8dcf075e8be840946b0b65d596cb53

SHA1
80233b99e0a0322efe70ffd3d47924b7c9e37ce1

SHA256
702d7a2f4f41568ebfa8bb44ca9a7bb8842d08fffe13159264fc4ded7436b2e7

SHA512
bf74f8d5d65dbce3d8ae768cd93b052ee7786e61323a7e2d5b552776dfa3068f9f46a73f84efa1bd1b3916e0afdcf369a429bf55c836c654aec1e51068b19aac

Download Submit
C:\Windows\SysWOW64\efreamet.exe
Filesize
71KB

MD5
5c5311e0fb3dc693da88566b83b509a3

SHA1
f5851300f0b632789b6f9bcee18f487fd1e22872

SHA256
ee547e7f0e5fe29f7a017b7641f09937d04a535e264a8f8f207f5d1ff9f733f0

SHA512
1aad821c5fc5a55a1ad13c1cd021b8e232c8c37faa80c8a45cc01bc946e6c28da1ef2d5725b8c6385fa781080cae749508f221571a34233294f0f65656a630d5

Download Submit
C:\Windows\SysWOW64\ochanap.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\ottoopuk.exe
Filesize
68KB

MD5
e7f3d42975ea5294d51d31f92f983c70

SHA1
80f215e749df38a358999a0a723237d185eb7fe3

SHA256
885295b4ae7dec735e28bf4347224844d5f57e08e758302e189ef80f2b203d8c

SHA512
cd53c4681355b520ea92c8bc600f84f6ac94540a8841e98c89aee267e1fb5a6efebb513742884234cc9b22724a453ad16c70848b202e118f257f81f9da29340d

Download Submit
memory/1600-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3272-43-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads