Malware Analysis Report

2025-01-06 11:57

Sample ID 240603-fg6jysca7t
Target 9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
SHA256 c46d2dc8bde8747858d6f33190ee3f9fd824650087a9becdd81a6a7e0d0655c4
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c46d2dc8bde8747858d6f33190ee3f9fd824650087a9becdd81a6a7e0d0655c4

Threat Level: Known bad

The file 9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:51

Reported

2024-06-03 04:54

Platform

win7-20240220-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\leafeec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\leafeec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\leafeec = "C:\\Users\\Admin\\leafeec.exe" C:\Users\Admin\leafeec.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\leafeec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\leafeec.exe
PID 2092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\leafeec.exe
PID 2092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\leafeec.exe
PID 2092 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\leafeec.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 2540 wrote to memory of 2092 N/A C:\Users\Admin\leafeec.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe"

C:\Users\Admin\leafeec.exe

"C:\Users\Admin\leafeec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.thepicturehut.net udp

Files

memory/2092-0-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\leafeec.exe

MD5 43e79e4c989facadfa8529d4087ff28c
SHA1 9cee5444a1096df4f62d7f043c0b29495ff7a85a
SHA256 e70fbdb3f7457c0e05f4e9bf55420da934c0a0f6ad364af0b8a4339de3e38160
SHA512 18ebdc5a6670c87836cba9f6175c5c28fdd4dca3862cde79a6990f6f065f8a7fb6a2bf8f2798d1414ccfec352cfa7c492333b76304a24d47fd94a6de9d14d32a

memory/2092-9-0x0000000003820000-0x0000000003832000-memory.dmp

memory/2540-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2092-15-0x0000000003820000-0x0000000003832000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:51

Reported

2024-06-03 04:54

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\xauim.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\xauim.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xauim = "C:\\Users\\Admin\\xauim.exe" C:\Users\Admin\xauim.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\xauim.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\xauim.exe
PID 5080 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\xauim.exe
PID 5080 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe C:\Users\Admin\xauim.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe
PID 3772 wrote to memory of 5080 N/A C:\Users\Admin\xauim.exe C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9c20bad0a5390ce7383b2d8281c2a830_NeikiAnalytics.exe"

C:\Users\Admin\xauim.exe

"C:\Users\Admin\xauim.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ns2.thepicturehut.net udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/5080-0-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\xauim.exe

MD5 6899e080ac797bfa45d1e9fc2c6d4b10
SHA1 ed2088f14f11f032801e8eb939bff1d5e4375792
SHA256 24dc2e12c192fc13209d283b7290d9b6d746dd2a3922e9dc5b967937bea6421c
SHA512 bac5a538e9d85e703417cf71b7d7b9d5bdeeb8834c6a86e19425a6d9f1a660e9ab69c682355422d555f928b461415e3feff3f3dbc582e98e5ae9d7a3d4d49dc3

memory/3772-34-0x0000000000400000-0x0000000000412000-memory.dmp