ae583673f063754f706c4f6b999b7050304b148052e24559d81482045ef9f054

General

Target

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
Size

72KB
MD5

a50a4ffc13789c21f4ca3bb26ac772e0
SHA1

5f6594a2bb6a46bb95c6b701595925c271c7d4e5
SHA256

ae583673f063754f706c4f6b999b7050304b148052e24559d81482045ef9f054
SHA512

b5872eac86fc8e5b6593dcd3d0bd3e520d2cbfa4c173d32cc4300138fdf431daa4be77935a1b933e2d68b3b1325e6727ef22494b1e6f862bd46290b564d9281e
SSDEEP

1536:xjwJoosva/cbBJ8LneoOO6S5rWoaNTwwwwwwwwwvi:j//8LeoOoJaNWi

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	unvidoaf-eged.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\IsInstalled = "1"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5350444F-4846-4d41-5350-444F48464d41}\StubPath = "C:\\Windows\\system32\\eapxoapoob.exe"	unvidoaf-eged.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\umhosoak.exe"	unvidoaf-eged.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	unvidoaf-eged.exe

Executes dropped EXE 2 IoCs

Processes:

unvidoaf-eged.exeunvidoaf-eged.exe

pid process

1892 unvidoaf-eged.exe
2876 unvidoaf-eged.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	unvidoaf-eged.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	unvidoaf-eged.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

unvidoaf-eged.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	unvidoaf-eged.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eaktuhoog-oxat.dll"	unvidoaf-eged.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	unvidoaf-eged.exe

Drops file in System32 directory 9 IoCs

Processes:

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exeunvidoaf-eged.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\unvidoaf-eged.exe	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\umhosoak.exe	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\eaktuhoog-oxat.dll	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\unvidoaf-eged.exe	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\umhosoak.exe	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\eapxoapoob.exe	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\eapxoapoob.exe	unvidoaf-eged.exe
File created	C:\Windows\SysWOW64\eaktuhoog-oxat.dll	unvidoaf-eged.exe
File opened for modification	C:\Windows\SysWOW64\unvidoaf-eged.exe	unvidoaf-eged.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

unvidoaf-eged.exeunvidoaf-eged.exe

pid	process
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
2876	unvidoaf-eged.exe
2876	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe
1892	unvidoaf-eged.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

unvidoaf-eged.exe

description pid process

Token: SeDebugPrivilege 1892 unvidoaf-eged.exe

description	pid	process
Token: SeDebugPrivilege	1892	unvidoaf-eged.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exeunvidoaf-eged.exe

description	pid	process	target process
PID 2960 wrote to memory of 1892	2960	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 2960 wrote to memory of 1892	2960	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 2960 wrote to memory of 1892	2960	a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe	unvidoaf-eged.exe
PID 1892 wrote to memory of 616	1892	unvidoaf-eged.exe	winlogon.exe
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 2876	1892	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1892 wrote to memory of 2876	1892	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1892 wrote to memory of 2876	1892	unvidoaf-eged.exe	unvidoaf-eged.exe
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE
PID 1892 wrote to memory of 3488	1892	unvidoaf-eged.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\a50a4ffc13789c21f4ca3bb26ac772e0_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\unvidoaf-eged.exe
    "C:\Windows\SysWOW64\unvidoaf-eged.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\unvidoaf-eged.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eaktuhoog-oxat.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\eapxoapoob.exe

Filesize
72KB

MD5
7182e27f1918ae7f83c5aff5870d9f77

SHA1
4f9c365a48f6bed2024ee8a16a32108488b7e37a

SHA256
9d318f56d12003801cc07742726ae3762fb12d401e627031f1097849cad9a0c4

SHA512
c80d8ca69bdf11e577a96549bea0b68058bbb55dffd07fb1d74d4e83ad4ef6fdd4a3e6ae520a2753af80825e6895c67aef90da2dd1d1286cc23ff15e7647dd39

Download Submit
C:\Windows\SysWOW64\umhosoak.exe

Filesize
73KB

MD5
1aee99c82a3c0f55e0e47e2b926a2eff

SHA1
bb3b3c0f83e8c20fcd4c452678cd2b4db24f325d

SHA256
5da09a9e614626d06a98922075dd4a9b685edaeb4879ffe03fdb4d221c363e43

SHA512
0642777eba111529775bb72ce4f83daae24378982ade4a27e11d35d1baee7f14892ba516eab6977504a1ba96ecab6becf0f23df3977a116742635be97dce8496

Download Submit
C:\Windows\SysWOW64\unvidoaf-eged.exe

Filesize
70KB

MD5
03c47d5477e082714c7fc0fd4d9423ff

SHA1
b1eae55cf2fd6fd454e41cd205d6ce2dff48e8e7

SHA256
f184dca5b963d5797b715f12d1a6ddaa37a58617673017e325dff6232e49804d

SHA512
5b934ee4063db116450c565b7ea1305fd1b50e7e0c2d2f885f01bb8d82a6d0b0f935fe9e61e889e5b3dabda099f3f2f073513659fddc224ec4853641ba312af2

Download Submit
memory/1892-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2876-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2960-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads