b6f6e143126903005fe950b5752d7d04ea0796297552a714c7071c0e0cbc49db

General

Target

a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
Size

71KB
MD5

a6db860f9edd23afc61f55ae9deeeb70
SHA1

9c038906baa79e744dea87ebf6ac0b293bdfd51e
SHA256

b6f6e143126903005fe950b5752d7d04ea0796297552a714c7071c0e0cbc49db
SHA512

9a329e28eff13fa7304dd906724a48c113ed346a675c835f3d4028d583478090ea7ebe1c12343f03a6811d1c13342b094bfc29df86eee4f52f6d6fd03f3ab34b
SSDEEP

1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sle:Olg35GTslA5t3/w8j

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufgeaxav.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufgeaxav.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufgeaxav.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\StubPath = "C:\\Windows\\system32\\ouxleheax.exe"	ufgeaxav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}	ufgeaxav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59434C45-5854-414c-5943-4C455854414c}\IsInstalled = "1"	ufgeaxav.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ufgeaxav.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ignoamit-moot.exe"	ufgeaxav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	ufgeaxav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	ufgeaxav.exe

Executes dropped EXE 2 IoCs

Processes:

ufgeaxav.exeufgeaxav.exe

pid process

5004 ufgeaxav.exe
3304 ufgeaxav.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ufgeaxav.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	ufgeaxav.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	ufgeaxav.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ufgeaxav.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	ufgeaxav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	ufgeaxav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	ufgeaxav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\kveatob-sac.dll"	ufgeaxav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	ufgeaxav.exe

Drops file in System32 directory 9 IoCs

Processes:

a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ufgeaxav.exe	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\ignoamit-moot.exe	ufgeaxav.exe
File opened for modification	C:\Windows\SysWOW64\ouxleheax.exe	ufgeaxav.exe
File created	C:\Windows\SysWOW64\kveatob-sac.dll	ufgeaxav.exe
File opened for modification	C:\Windows\SysWOW64\ufgeaxav.exe	ufgeaxav.exe
File created	C:\Windows\SysWOW64\ufgeaxav.exe	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ignoamit-moot.exe	ufgeaxav.exe
File created	C:\Windows\SysWOW64\ouxleheax.exe	ufgeaxav.exe
File opened for modification	C:\Windows\SysWOW64\kveatob-sac.dll	ufgeaxav.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ufgeaxav.exeufgeaxav.exe

pid	process
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
3304	ufgeaxav.exe
3304	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe
5004	ufgeaxav.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exe

description pid process

Token: SeDebugPrivilege 116 a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
Token: SeDebugPrivilege 5004 ufgeaxav.exe

description	pid	process
Token: SeDebugPrivilege	116	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
Token: SeDebugPrivilege	5004	ufgeaxav.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exeufgeaxav.exe

description	pid	process	target process
PID 116 wrote to memory of 5004	116	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe	ufgeaxav.exe
PID 116 wrote to memory of 5004	116	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe	ufgeaxav.exe
PID 116 wrote to memory of 5004	116	a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe	ufgeaxav.exe
PID 5004 wrote to memory of 3304	5004	ufgeaxav.exe	ufgeaxav.exe
PID 5004 wrote to memory of 3304	5004	ufgeaxav.exe	ufgeaxav.exe
PID 5004 wrote to memory of 3304	5004	ufgeaxav.exe	ufgeaxav.exe
PID 5004 wrote to memory of 612	5004	ufgeaxav.exe	winlogon.exe
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE
PID 5004 wrote to memory of 3432	5004	ufgeaxav.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a6db860f9edd23afc61f55ae9deeeb70_NeikiAnalytics.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\ufgeaxav.exe
"C:\Windows\system32\ufgeaxav.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\ufgeaxav.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ignoamit-moot.exe
Filesize
74KB

MD5
f6e9bc170b0e952ffa89fa51a3ca902a

SHA1
3053ce1c4e8bd51c1d7ffbc072de4b0d37e73360

SHA256
beef5fdcf90adbf43e2d301ae9af090fda681f48d550fd2d21c06228d4e2d48e

SHA512
9b7ca03e5641b8711a345f05bedd7a4025eb0bdfc2e6f61761b8b97e599d8fd49c06d3d64d216fe9cb449c3b6e9484db5c2c2fd58b412427eea225b261494124

Download Submit
C:\Windows\SysWOW64\kveatob-sac.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\ouxleheax.exe
Filesize
73KB

MD5
3f5294867bc9edb9a4f89f98b93ff392

SHA1
686fe0ac11c501e62d192abe61af33e110561f60

SHA256
db789d35ad8c39c11baf5b8a286fd456d5457fd4ea92e0f44f6ef0d36c243c2a

SHA512
c2ab2c06703841a30758236c1af5aa4d2294aa41dacd8e5fcd873e8fc936f2be86ec4d673741c0ce62c0fdd9c70c539b7dee6de535d9c031b9f598e6cc655c94

Download Submit
C:\Windows\SysWOW64\ufgeaxav.exe
Filesize
71KB

MD5
a6db860f9edd23afc61f55ae9deeeb70

SHA1
9c038906baa79e744dea87ebf6ac0b293bdfd51e

SHA256
b6f6e143126903005fe950b5752d7d04ea0796297552a714c7071c0e0cbc49db

SHA512
9a329e28eff13fa7304dd906724a48c113ed346a675c835f3d4028d583478090ea7ebe1c12343f03a6811d1c13342b094bfc29df86eee4f52f6d6fd03f3ab34b

Download Submit
memory/116-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3304-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5004-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads