Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
-
Size
260KB
-
MD5
2c14a3a6536396c74da88adc5a0b5510
-
SHA1
3e1ed76d1c87e82be436bd0d7937f10f736f26f8
-
SHA256
209f663bf3a0860ca4bc2b5e6b565053f8e0235405cfa8f365aced9cdad656fa
-
SHA512
c1eb3b2d71bbdceaff2327a6aef50ecde07548cf1d5c8c334f268d9139c4023f86ef2cf086229f34117401315e263d1d83aa214fbf7be456d03d9fa5d0788086
-
SSDEEP
3072:ogfAlNg/vh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGs:odVgTSrMaIl/jcLijfHFEHWzXvjT85R
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xaedo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 4824 xaedo.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /T" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /s" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /a" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /k" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /p" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /R" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /m" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /K" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /C" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /H" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Y" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /F" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /S" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /r" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /v" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /y" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /M" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /q" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /V" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /X" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /G" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /L" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /O" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /f" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /A" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /z" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /t" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /x" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /h" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /o" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /w" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /i" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /c" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /l" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /b" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /g" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /W" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /U" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /B" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /j" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /d" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /J" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /n" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /u" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /E" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /P" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /D" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /e" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Q" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /N" xaedo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Z" xaedo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe 4824 xaedo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3808 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe 4824 xaedo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3808 wrote to memory of 4824 3808 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe 86 PID 3808 wrote to memory of 4824 3808 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe 86 PID 3808 wrote to memory of 4824 3808 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\xaedo.exe"C:\Users\Admin\xaedo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD5f30de60cbc3cb2e3bf14ef21d706a9e7
SHA1076ed9140186efdd090324160b33ddd4681ed86c
SHA25695df23ffb5933ab10a1a00963839a9e58e3880d711b206eb107bc1395e3127b5
SHA512345a19c8ead86ebc319e397326f7208f8ab320c7cffceb118d89f5d57224438bc261e716cc34185d5694d58cfb67109297f4bd1c1ce627588adf34d9d173f646