ae583673f063754f706c4f6b999b7050304b148052e24559d81482045ef9f054

General

Target

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
Size

72KB
MD5

a50a4ffc13789c21f4ca3bb26ac772e0
SHA1

5f6594a2bb6a46bb95c6b701595925c271c7d4e5
SHA256

ae583673f063754f706c4f6b999b7050304b148052e24559d81482045ef9f054
SHA512

b5872eac86fc8e5b6593dcd3d0bd3e520d2cbfa4c173d32cc4300138fdf431daa4be77935a1b933e2d68b3b1325e6727ef22494b1e6f862bd46290b564d9281e
SSDEEP

1536:xjwJoosva/cbBJ8LneoOO6S5rWoaNTwwwwwwwwwvi:j//8LeoOoJaNWi

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	unvidoaf-eged.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\IsInstalled = "1"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\StubPath = "C:\\Windows\\system32\\eapxoapoob.exe"	unvidoaf-eged.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	unvidoaf-eged.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\umhosoak.exe"	unvidoaf-eged.exe

Executes dropped EXE 2 IoCs

Processes:

unvidoaf-eged.exeunvidoaf-eged.exe

pid process

1260 unvidoaf-eged.exe
2220 unvidoaf-eged.exe
Loads dropped DLL 3 IoCs

Processes:

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exeunvidoaf-eged.exe

pid process

1952 a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
1952 a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
1260 unvidoaf-eged.exe

pid	process
1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
1260	unvidoaf-eged.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	unvidoaf-eged.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaktuhoog-oxat.dll"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	unvidoaf-eged.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	unvidoaf-eged.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	unvidoaf-eged.exe

Drops file in System32 directory 9 IoCs

Processes:

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exeunvidoaf-eged.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\unvidoaf-eged.exe	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\unvidoaf-eged.exe	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\eapxoapoob.exe	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\eapxoapoob.exe	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\eaktuhoog-oxat.dll	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\eaktuhoog-oxat.dll	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\unvidoaf-eged.exe	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\umhosoak.exe	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\umhosoak.exe	unvidoaf-eged.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

unvidoaf-eged.exeunvidoaf-eged.exe

pid	process
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
2220	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe
1260	unvidoaf-eged.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

unvidoaf-eged.exe

description pid process

Token: SeDebugPrivilege 1260 unvidoaf-eged.exe

description	pid	process
Token: SeDebugPrivilege	1260	unvidoaf-eged.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exeunvidoaf-eged.exe

description	pid	process	target process
PID 1952 wrote to memory of 1260	1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 1952 wrote to memory of 1260	1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 1952 wrote to memory of 1260	1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 1952 wrote to memory of 1260	1952	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 1260 wrote to memory of 432	1260	unvidoaf-eged.exe	winlogon.exe
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 2220	1260	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1260 wrote to memory of 2220	1260	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1260 wrote to memory of 2220	1260	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1260 wrote to memory of 2220	1260	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE
PID 1260 wrote to memory of 1144	1260	unvidoaf-eged.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\unvidoaf-eged.exe
"C:\Windows\SysWOW64\unvidoaf-eged.exe"
3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\unvidoaf-eged.exe
--k33p
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eaktuhoog-oxat.dll
Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\eapxoapoob.exe
Filesize
72KB

MD5
70978568df247e35eb5d202589bda7d9

SHA1
a40a3ace58f2a8bade5804f650f9ced2c0677448

SHA256
657c1f0daad83872a0f7cb2318acd7c6d412a7ad6287091b18f6cf9d27b43f16

SHA512
bb7efbd36daca770a0420a1f80bea5a779ce4059ff65d659c5e6d06e15b60d785977c1a2f6db01ef7bacadedbcf8a46c82c182c7d41e61ee5ac735c05b2f82a5

Download Submit
C:\Windows\SysWOW64\umhosoak.exe
Filesize
73KB

MD5
fabf6b8abbcbba25ded999bf5e1401f9

SHA1
f6822d5f93c7a6fe9c82f8523dab480705129430

SHA256
07e771d7be7939d9f9c6f662e35f9d13ce3620ab1ec1c62f89d6c6a69eb1938f

SHA512
015f7eee5d757adb16f5bf081a856864b1800dd46fea20c37cb44eafe3c46f5b12bc7c77187e4c9519bbe0608d3a72a9eb266f5c47e7274efa033585e5e46f57

Download Submit
\Windows\SysWOW64\unvidoaf-eged.exe
Filesize
70KB

MD5
03c47d5477e082714c7fc0fd4d9423ff

SHA1
b1eae55cf2fd6fd454e41cd205d6ce2dff48e8e7

SHA256
f184dca5b963d5797b715f12d1a6ddaa37a58617673017e325dff6232e49804d

SHA512
5b934ee4063db116450c565b7ea1305fd1b50e7e0c2d2f885f01bb8d82a6d0b0f935fe9e61e889e5b3dabda099f3f2f073513659fddc224ec4853641ba312af2

Download Submit
memory/1260-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1952-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2220-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads