9d002ac6f886a2058a66893e154ac4760de30122c6d0c7b662c5f96c12fdf09e

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
Size

72KB
MD5

a38cefaae47acb9871741c1de0b15bb0
SHA1

0de6242169c131bd3c81669ce8de09a3a5c794ca
SHA256

9d002ac6f886a2058a66893e154ac4760de30122c6d0c7b662c5f96c12fdf09e
SHA512

a25f10f5ba7dd0cd1b168271699e8d2a7e4c1c91709010a945dcd694146347b24b3825dbfac049835012071f3bb792229a7c47105fe693b13338b2733481a72c
SSDEEP

1536:xr9S940hfcXdb8hnrBNf7IdWBeKzKLUHun+zmIGA/cK:W940hNVBIdWBjUDAt

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	egpooteas-isooc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\IsInstalled = "1"	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\StubPath = "C:\\Windows\\system32\\ulmagooh.exe"	egpooteas-isooc.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\rtivoas-opoab.exe"	egpooteas-isooc.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	egpooteas-isooc.exe
2480	egpooteas-isooc.exe

Loads dropped DLL 3 IoCs

pid	Process
2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
2380	egpooteas-isooc.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	egpooteas-isooc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	egpooteas-isooc.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	egpooteas-isooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ouknutoap.dll"	egpooteas-isooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	egpooteas-isooc.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ouknutoap.dll	egpooteas-isooc.exe
File opened for modification	C:\Windows\SysWOW64\rtivoas-opoab.exe	egpooteas-isooc.exe
File created	C:\Windows\SysWOW64\rtivoas-opoab.exe	egpooteas-isooc.exe
File opened for modification	C:\Windows\SysWOW64\ulmagooh.exe	egpooteas-isooc.exe
File created	C:\Windows\SysWOW64\ouknutoap.dll	egpooteas-isooc.exe
File opened for modification	C:\Windows\SysWOW64\egpooteas-isooc.exe	egpooteas-isooc.exe
File opened for modification	C:\Windows\SysWOW64\egpooteas-isooc.exe	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\egpooteas-isooc.exe	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\ulmagooh.exe	egpooteas-isooc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2480	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe
2380	egpooteas-isooc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	egpooteas-isooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2380	2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2380	2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2380	2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 2380	2180	a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 432	2380	egpooteas-isooc.exe	5
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 2480	2380	egpooteas-isooc.exe	29
PID 2380 wrote to memory of 2480	2380	egpooteas-isooc.exe	29
PID 2380 wrote to memory of 2480	2380	egpooteas-isooc.exe	29
PID 2380 wrote to memory of 2480	2380	egpooteas-isooc.exe	29
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21
PID 2380 wrote to memory of 1188	2380	egpooteas-isooc.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\a38cefaae47acb9871741c1de0b15bb0_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\egpooteas-isooc.exe
    "C:\Windows\SysWOW64\egpooteas-isooc.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\egpooteas-isooc.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ouknutoap.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\rtivoas-opoab.exe

Filesize
73KB

MD5
5217a8ced87536d725c49b55a6323ae5

SHA1
8707d1ff92d6c5311971b5080fa5623a12b3341d

SHA256
b339664a9f777def8c0abfdd0f21d1d638fe5cf281c488cf3b645e508f48f5e3

SHA512
0f98dc4108e50796854add435fcf6754c54dea5c38d7b33b3d9e8d13da41b103564b63571d08dbfa130e0bb263c36524653be05738dbea57453fc7617238c3d7

Download Submit
C:\Windows\SysWOW64\ulmagooh.exe

Filesize
72KB

MD5
fc5e7a0b32ea1205f10dc0b5ae5a3abe

SHA1
dd8df66a31e7da550328114126319081fb66753e

SHA256
d1fbd0f66997ae94adde10eef75a5cea5d2817574f162e756fcd722417fdfd8b

SHA512
8131d81a08cb78b7baf2e80d1cc598d7630f88629edca0ee4bc621b5a5b586f4aa41720810210b80a5c41ddc0476223931ebcc24bc8d673f44118aeca0aeab52

Download Submit
\Windows\SysWOW64\egpooteas-isooc.exe

Filesize
70KB

MD5
0864e6ec249dbba8e1e3fedd468e4b25

SHA1
0e9dc9706299397e1b655f526733d8b22bcd2051

SHA256
5c0208aff67d437c89cd7a31e44719332de312cb74c752030d1cf89be8282c6b

SHA512
43185026a07b0e5ef484c2969e045deada493037ae9bad713c2bc33c749f1b63d72ac93121d997338c6d61d0c85303f65f0ee7c1cd90397233f03821addec641

Download Submit
memory/2180-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2380-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2480-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download