Analysis Overview
SHA256
9605838165e59d817758e2b1cddb447b2101b56e9263c64f0094da0dd7c5a658
Threat Level: Known bad
The file 8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 04:52
Reported
2024-06-01 04:55
Platform
win7-20240419-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\couexof.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\couexof.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\couexof = "C:\\Users\\Admin\\couexof.exe" | C:\Users\Admin\couexof.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\couexof.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"
C:\Users\Admin\couexof.exe
"C:\Users\Admin\couexof.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.thepicturehut.net | udp |
Files
memory/2320-0-0x0000000000400000-0x0000000000412000-memory.dmp
\Users\Admin\couexof.exe
| MD5 | a1427e8a674e1e401babeb2158064860 |
| SHA1 | 236482ae7781f6c9e89a98c26b3b4d5c2af19ab4 |
| SHA256 | 263db79b07b47c64a2005dec7e83d7959a24f63a864e258abd1c257b9f8d85f3 |
| SHA512 | f8535e7ad3b47150084ae94ede37ee5d9c1eb7ded768f93f80163f7cfc985971e0771688b8c3d8874594c4476a04da35bdf67dddf181d51474e5bd8c0982f0bd |
memory/2320-8-0x0000000003830000-0x0000000003842000-memory.dmp
memory/2944-16-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2320-15-0x0000000003830000-0x0000000003842000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 04:52
Reported
2024-06-01 04:55
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\rhmul.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\rhmul.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhmul = "C:\\Users\\Admin\\rhmul.exe" | C:\Users\Admin\rhmul.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\rhmul.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"
C:\Users\Admin\rhmul.exe
"C:\Users\Admin\rhmul.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns2.thepicturehut.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4036-0-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\rhmul.exe
| MD5 | 5c5c0bb7d89cdc63f3b9e3e477b1b523 |
| SHA1 | 6c207763601b592cc556a30de13530b83cd4a8cf |
| SHA256 | a55846f5aed07e207b9e8f2a3432e70911a35935e722df08d2c558fabab28b63 |
| SHA512 | 62df82187f2d73efcfbdf855413549c7eccc16416328ec4ca6a79f76dfeec35d9ddf0c94724d446898f7ec346a5cd28c764f073c1cf9d4b49d7e7ce4a04a3de6 |
memory/1768-34-0x0000000000400000-0x0000000000412000-memory.dmp