Analysis
-
max time kernel
149s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
-
Size
71KB
-
MD5
a6db860f9edd23afc61f55ae9deeeb70
-
SHA1
9c038906baa79e744dea87ebf6ac0b293bdfd51e
-
SHA256
b6f6e143126903005fe950b5752d7d04ea0796297552a714c7071c0e0cbc49db
-
SHA512
9a329e28eff13fa7304dd906724a48c113ed346a675c835f3d4028d583478090ea7ebe1c12343f03a6811d1c13342b094bfc29df86eee4f52f6d6fd03f3ab34b
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sle:Olg35GTslA5t3/w8j
Malware Config
Signatures
-
Processes:
ufgeaxav.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ufgeaxav.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
ufgeaxav.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\StubPath = "C:\\Windows\\system32\\ouxleheax.exe" ufgeaxav.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c} ufgeaxav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\IsInstalled = "1" ufgeaxav.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
Processes:
ufgeaxav.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ignoamit-moot.exe" ufgeaxav.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ufgeaxav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ufgeaxav.exe -
Executes dropped EXE 2 IoCs
Processes:
ufgeaxav.exeufgeaxav.exepid process 5004 ufgeaxav.exe 3304 ufgeaxav.exe -
Processes:
ufgeaxav.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ufgeaxav.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ufgeaxav.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
ufgeaxav.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ufgeaxav.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ufgeaxav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ufgeaxav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\kveatob-sac.dll" ufgeaxav.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ufgeaxav.exe -
Drops file in System32 directory 9 IoCs
Processes:
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ufgeaxav.exe a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ignoamit-moot.exe ufgeaxav.exe File opened for modification C:\Windows\SysWOW64\ouxleheax.exe ufgeaxav.exe File created C:\Windows\SysWOW64\kveatob-sac.dll ufgeaxav.exe File opened for modification C:\Windows\SysWOW64\ufgeaxav.exe ufgeaxav.exe File created C:\Windows\SysWOW64\ufgeaxav.exe a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\ignoamit-moot.exe ufgeaxav.exe File created C:\Windows\SysWOW64\ouxleheax.exe ufgeaxav.exe File opened for modification C:\Windows\SysWOW64\kveatob-sac.dll ufgeaxav.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ufgeaxav.exeufgeaxav.exepid process 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 3304 ufgeaxav.exe 3304 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe 5004 ufgeaxav.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exedescription pid process Token: SeDebugPrivilege 116 a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe Token: SeDebugPrivilege 5004 ufgeaxav.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exedescription pid process target process PID 116 wrote to memory of 5004 116 a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe ufgeaxav.exe PID 116 wrote to memory of 5004 116 a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe ufgeaxav.exe PID 116 wrote to memory of 5004 116 a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe ufgeaxav.exe PID 5004 wrote to memory of 3304 5004 ufgeaxav.exe ufgeaxav.exe PID 5004 wrote to memory of 3304 5004 ufgeaxav.exe ufgeaxav.exe PID 5004 wrote to memory of 3304 5004 ufgeaxav.exe ufgeaxav.exe PID 5004 wrote to memory of 612 5004 ufgeaxav.exe winlogon.exe PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE PID 5004 wrote to memory of 3432 5004 ufgeaxav.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\ufgeaxav.exe"C:\Windows\system32\ufgeaxav.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\ufgeaxav.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\ignoamit-moot.exeFilesize
74KB
MD5f6e9bc170b0e952ffa89fa51a3ca902a
SHA13053ce1c4e8bd51c1d7ffbc072de4b0d37e73360
SHA256beef5fdcf90adbf43e2d301ae9af090fda681f48d550fd2d21c06228d4e2d48e
SHA5129b7ca03e5641b8711a345f05bedd7a4025eb0bdfc2e6f61761b8b97e599d8fd49c06d3d64d216fe9cb449c3b6e9484db5c2c2fd58b412427eea225b261494124
-
C:\Windows\SysWOW64\kveatob-sac.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
C:\Windows\SysWOW64\ouxleheax.exeFilesize
73KB
MD53f5294867bc9edb9a4f89f98b93ff392
SHA1686fe0ac11c501e62d192abe61af33e110561f60
SHA256db789d35ad8c39c11baf5b8a286fd456d5457fd4ea92e0f44f6ef0d36c243c2a
SHA512c2ab2c06703841a30758236c1af5aa4d2294aa41dacd8e5fcd873e8fc936f2be86ec4d673741c0ce62c0fdd9c70c539b7dee6de535d9c031b9f598e6cc655c94
-
C:\Windows\SysWOW64\ufgeaxav.exeFilesize
71KB
MD5a6db860f9edd23afc61f55ae9deeeb70
SHA19c038906baa79e744dea87ebf6ac0b293bdfd51e
SHA256b6f6e143126903005fe950b5752d7d04ea0796297552a714c7071c0e0cbc49db
SHA5129a329e28eff13fa7304dd906724a48c113ed346a675c835f3d4028d583478090ea7ebe1c12343f03a6811d1c13342b094bfc29df86eee4f52f6d6fd03f3ab34b
-
memory/116-6-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3304-50-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5004-49-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB