Malware Analysis Report

2025-01-06 10:18

Sample ID 240601-es96vaab35
Target 8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe
SHA256 fafac796d16c06ffbc08579f742616032606013fe667064a1abe047f66dc1c5a
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fafac796d16c06ffbc08579f742616032606013fe667064a1abe047f66dc1c5a

Threat Level: Known bad

The file 8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:13

Reported

2024-06-01 04:16

Platform

win7-20240508-en

Max time kernel

149s

Max time network

125s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851} C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\IsInstalled = "1" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\StubPath = "C:\\Windows\\system32\\ihbucood-afac.exe" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\bdookex.exe" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\acricud-oudur.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\efneakos.dll" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\acricud-oudur.exe C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\bdookex.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\efneakos.dll C:\Windows\SysWOW64\acricud-oudur.exe N/A
File created C:\Windows\SysWOW64\efneakos.dll C:\Windows\SysWOW64\acricud-oudur.exe N/A
File created C:\Windows\SysWOW64\acricud-oudur.exe C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\bdookex.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\ihbucood-afac.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File created C:\Windows\SysWOW64\ihbucood-afac.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2168 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2168 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2168 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2392 wrote to memory of 432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\system32\winlogon.exe
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 2752 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2392 wrote to memory of 2752 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2392 wrote to memory of 2752 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2392 wrote to memory of 2752 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 2392 wrote to memory of 1196 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\acricud-oudur.exe

"C:\Windows\SysWOW64\acricud-oudur.exe"

C:\Windows\SysWOW64\acricud-oudur.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 vspuleucae.mp udp
US 8.8.8.8:53 vspuleucae.mp udp

Files

\Windows\SysWOW64\acricud-oudur.exe

MD5 c954637cd151ea474ab64cc75386a100
SHA1 79116d1417e7d32f8e3759e2e4aff914fcbd3c33
SHA256 e96dce715a09faf024b5572cfc73b4f2765b5e91b65f351a86049d08b29bf1f9
SHA512 c5e160cd063075b6d1d6427c07f1f5f28bf2231ccc08b33703d170b23a2b14ae02e9e64d050fff9d4e8b8ae95004ba2c06f9eb4f2af45bcf81b66c735c9201e3

memory/2168-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\efneakos.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\bdookex.exe

MD5 c324de55d5d0d71512dc828e89d18395
SHA1 859ec9ea9cdf702142536a62466ebd2687519ec0
SHA256 497e9f43cf72ae0d72569cdfc21cf86fa0cbf979a9d1a3f00142d13ef687aaa4
SHA512 0cded001482f086cab77ec751ca684dc9c00c0fda413a1dd06fa3abb5e752be59df0a6a49b65fd2c4cdc33139e3dcbe8d61769c011516eaf95eaab25c7a19b0d

C:\Windows\SysWOW64\ihbucood-afac.exe

MD5 9a55b45223f20ee965efd4b5d073b53d
SHA1 c56aae2da136a186891ab8e602f0aa96a8070ef8
SHA256 35fec3e962967e006ce3df8c65ce19d750a0af3a98a84c578f069a43d0ee9b2a
SHA512 733518a94d4ae4729232ced3354125b157859f8b493f0b08a3b482ac01a95afed25706c034d792b0620310d065492666c714b33ad875586b00a126bde23323d2

memory/2392-53-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2752-54-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:13

Reported

2024-06-01 04:15

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\StubPath = "C:\\Windows\\system32\\ihbucood-afac.exe" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453} C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4256524B-4950-5453-4256-524B49505453}\IsInstalled = "1" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\bdookex.exe" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\acricud-oudur.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\efneakos.dll" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\acricud-oudur.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\acricud-oudur.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\acricud-oudur.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\acricud-oudur.exe C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\efneakos.dll C:\Windows\SysWOW64\acricud-oudur.exe N/A
File created C:\Windows\SysWOW64\ihbucood-afac.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\efneakos.dll C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\acricud-oudur.exe C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\bdookex.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File created C:\Windows\SysWOW64\bdookex.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A
File opened for modification C:\Windows\SysWOW64\ihbucood-afac.exe C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A
N/A N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\acricud-oudur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 1076 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 1076 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 3940 wrote to memory of 616 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\system32\winlogon.exe
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 696 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 3940 wrote to memory of 696 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 3940 wrote to memory of 696 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\SysWOW64\acricud-oudur.exe
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE
PID 3940 wrote to memory of 3432 N/A C:\Windows\SysWOW64\acricud-oudur.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8d10819958b8446d170b4826f27b47c0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\acricud-oudur.exe

"C:\Windows\SysWOW64\acricud-oudur.exe"

C:\Windows\SysWOW64\acricud-oudur.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 wqrkgtkakgzyv.cm udp
US 8.8.8.8:53 wqrkgtkakgzyv.cm udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Windows\SysWOW64\acricud-oudur.exe

MD5 c954637cd151ea474ab64cc75386a100
SHA1 79116d1417e7d32f8e3759e2e4aff914fcbd3c33
SHA256 e96dce715a09faf024b5572cfc73b4f2765b5e91b65f351a86049d08b29bf1f9
SHA512 c5e160cd063075b6d1d6427c07f1f5f28bf2231ccc08b33703d170b23a2b14ae02e9e64d050fff9d4e8b8ae95004ba2c06f9eb4f2af45bcf81b66c735c9201e3

memory/1076-3-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\efneakos.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\bdookex.exe

MD5 a21c77c0e95e99eb414f275eef46b625
SHA1 8e97aa49ea030713501e02f2aa9952d17224dc12
SHA256 9069ca69637eed398ad60499559e2d855960e39260a6dd8fe25926b1e4818017
SHA512 3fc0e7c58bc9544d1765c3b849e5f7d3ea249f6d26d38c78edac5fcb09c3834b411e32288c5b632bedfeb1257f6e96cc005d0397a112fe0400d001d1bafaa515

C:\Windows\SysWOW64\ihbucood-afac.exe

MD5 93ad4b6dadc97fd82518d943ac571e5e
SHA1 ba343196e5f628de08faa473ac77677fef61c036
SHA256 0d8f0e4884e00d59b3b6934b01132041e5614d8d865b63efd2c8a819743432a2
SHA512 5cd037a24c2cb98d38f5949d4de278ca450cbae5373590ed0abdecce00b4f619b7b580e5ab40ff62ced2a9b22515a0a7b7ef580ff75386eee3b998925db5ce46

memory/3940-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/696-48-0x0000000000400000-0x0000000000414000-memory.dmp