0065d318653ea294969e07cfa1d7130612aa70c82449593a4d0ff4f6b633f422

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe
Size

73KB
MD5

17da6381c71e3a4a81334b9cba1d4750
SHA1

a7f38c99d284e6afe8a3ebc41bbe80bf4f9a8c9f
SHA256

0065d318653ea294969e07cfa1d7130612aa70c82449593a4d0ff4f6b633f422
SHA512

1a8c02d87d6ba55c6b87886c1ee22659b546c485e859903948d5823a809d49bee56c0c2c6f582be7bd2e61a0bcd27874237d705a63a9159ce85d72ff68be297a
SSDEEP

768:x/nh3pSzouGbBcDZBCtfefzXDDDvFKEWSrVkr93k977l89NSQZ7Rze:xZ3pSzMzwXXD9KErrGnvNe

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	etneagug.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\IsInstalled = "1"	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47594C51-574a-434e-4759-4C51574A434e}\StubPath = "C:\\Windows\\system32\\utmoacif.exe"	etneagug.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\udnoavup-ucur.exe"	etneagug.exe

Executes dropped EXE 2 IoCs

pid	Process
2908	etneagug.exe
3140	etneagug.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	etneagug.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	etneagug.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	etneagug.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\emlooxuc.dll"	etneagug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	etneagug.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\udnoavup-ucur.exe	etneagug.exe
File opened for modification	C:\Windows\SysWOW64\emlooxuc.dll	etneagug.exe
File opened for modification	C:\Windows\SysWOW64\etneagug.exe	etneagug.exe
File opened for modification	C:\Windows\SysWOW64\utmoacif.exe	etneagug.exe
File created	C:\Windows\SysWOW64\utmoacif.exe	etneagug.exe
File created	C:\Windows\SysWOW64\emlooxuc.dll	etneagug.exe
File opened for modification	C:\Windows\SysWOW64\etneagug.exe	17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\etneagug.exe	17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\udnoavup-ucur.exe	etneagug.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
3140	etneagug.exe
3140	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe
2908	etneagug.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	etneagug.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2908	1844	17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe	92
PID 1844 wrote to memory of 2908	1844	17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe	92
PID 1844 wrote to memory of 2908	1844	17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe	92
PID 2908 wrote to memory of 608	2908	etneagug.exe	5
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3140	2908	etneagug.exe	93
PID 2908 wrote to memory of 3140	2908	etneagug.exe	93
PID 2908 wrote to memory of 3140	2908	etneagug.exe	93
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56
PID 2908 wrote to memory of 3436	2908	etneagug.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\17da6381c71e3a4a81334b9cba1d4750_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\etneagug.exe
    "C:\Windows\SysWOW64\etneagug.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\etneagug.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3684,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\emlooxuc.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\etneagug.exe

Filesize
71KB

MD5
f583a486a38bf3ccfd68238e47ffdcd1

SHA1
9e7b638af5648afd04e5788129ded003dd14891d

SHA256
e5f01b24f8f3594dd7fd46ac1335ecfe2fce9478ac918f337fd2d266021c16cc

SHA512
4978ab2e7153c2424dd775e85dc0c16dfdfc4adf2fa9aeda1b86ab7c16b94171638a5d1b56a31257fcdd6db2b6265e2fa303cfae585a8709c0938e9ad6108dd0

Download Submit
C:\Windows\SysWOW64\udnoavup-ucur.exe

Filesize
74KB

MD5
2c0eb4f617fee071de69552cc134ec8a

SHA1
c7abd38577376f66243d775f6141318acc259dcb

SHA256
ec689aa7b5b270a9668159961bcec32004616e8f5cec229e5219913b59a1bf94

SHA512
f21aa2548dc8c05e548ed12a249e97e288cf64cd53421b3e50debf5b773810486b2c8f99f6880962e3ed59a991dce7296e95f18aff4c45c4d815900b0c361b90

Download Submit
C:\Windows\SysWOW64\utmoacif.exe

Filesize
73KB

MD5
7a83cc60030a57a2e117fe70a1a143de

SHA1
00d74837975c3fb19cfbe1557d306d75270da7d5

SHA256
a36e4858bea8d510aeb1b7bbde7632a28772381ec4fd6f3b5d7f13b364e1ee69

SHA512
786d6831a8ab99b82b6c04785701b6c56f29d37be2b748a2b633d9de84222c537d9abe4d61fe700e5d57e31d2d95e372652a1393685aff67a3307097b1ad7598

Download Submit
memory/1844-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2908-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3140-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download