Analysis Overview
SHA256
209f663bf3a0860ca4bc2b5e6b565053f8e0235405cfa8f365aced9cdad656fa
Threat Level: Known bad
The file 2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 22:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 22:36
Reported
2024-05-25 22:39
Platform
win7-20240508-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\voefool.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\voefool.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /z" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /M" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /J" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /i" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /x" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /K" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /B" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /Z" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /a" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /L" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /C" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /n" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /k" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /Y" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /r" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /U" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /F" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /m" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /l" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /t" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /G" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /w" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /H" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /j" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /u" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /b" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /Q" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /h" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /N" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /f" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /o" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /V" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /v" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /A" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /c" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /d" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /y" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /O" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /T" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /R" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /W" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /p" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /g" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /e" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /P" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /S" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /E" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /X" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /I" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /s" | C:\Users\Admin\voefool.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\voefool = "C:\\Users\\Admin\\voefool.exe /q" | C:\Users\Admin\voefool.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\voefool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\voefool.exe |
| PID 2248 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\voefool.exe |
| PID 2248 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\voefool.exe |
| PID 2248 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\voefool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe"
C:\Users\Admin\voefool.exe
"C:\Users\Admin\voefool.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 107.178.223.183:8001 | ns1.player1532.com | tcp |
Files
C:\Users\Admin\voefool.exe
| MD5 | 13cf3193440ffa48a54cb97fcf4fda22 |
| SHA1 | fdc072aa2422c762e11c2f1a900d8950b0cd6713 |
| SHA256 | 2dc6c7ede1c605b6cd2ce485a8ca526058dd9f24f1c8099958862af67f7ce1c6 |
| SHA512 | 006d25569d623bc49084b5033d59c4f44e6e8f4ed60934c9d710e67f30690afe7edddcf1f8eb28e43c5123de096fe510f6c8ee2a39cc51733940e45fee5d313b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 22:36
Reported
2024-05-25 22:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\xaedo.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\xaedo.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /T" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /s" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /a" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /k" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /p" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /R" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /m" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /K" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /C" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /H" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Y" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /F" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /S" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /r" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /v" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /y" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /M" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /q" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /V" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /X" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /G" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /L" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /O" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /f" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /A" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /z" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /t" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /x" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /h" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /o" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /w" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /i" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /c" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /l" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /b" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /g" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /W" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /U" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /B" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /j" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /d" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /J" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /n" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /u" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /E" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /P" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /D" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /e" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Q" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /N" | C:\Users\Admin\xaedo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaedo = "C:\\Users\\Admin\\xaedo.exe /Z" | C:\Users\Admin\xaedo.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\xaedo.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3808 wrote to memory of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\xaedo.exe |
| PID 3808 wrote to memory of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\xaedo.exe |
| PID 3808 wrote to memory of 4824 | N/A | C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe | C:\Users\Admin\xaedo.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c14a3a6536396c74da88adc5a0b5510_NeikiAnalytics.exe"
C:\Users\Admin\xaedo.exe
"C:\Users\Admin\xaedo.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.player1532.com | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\xaedo.exe
| MD5 | f30de60cbc3cb2e3bf14ef21d706a9e7 |
| SHA1 | 076ed9140186efdd090324160b33ddd4681ed86c |
| SHA256 | 95df23ffb5933ab10a1a00963839a9e58e3880d711b206eb107bc1395e3127b5 |
| SHA512 | 345a19c8ead86ebc319e397326f7208f8ab320c7cffceb118d89f5d57224438bc261e716cc34185d5694d58cfb67109297f4bd1c1ce627588adf34d9d173f646 |