Malware Analysis Report

2024-10-10 12:45

Sample ID 240613-17kemawelj
Target 8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe
SHA256 dd32a6a31c72d15f336ba83dcc04e8704eb60b70f1a0d3487895d2802106bb34
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dd32a6a31c72d15f336ba83dcc04e8704eb60b70f1a0d3487895d2802106bb34

Threat Level: Shows suspicious behavior

The file 8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:17

Reported

2024-06-13 22:19

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\25xa9.exe N/A
N/A N/A C:\Windows\SysWOW64\c6c80.exe N/A
N/A N/A C:\Windows\SysWOW64\9ad35.exe N/A
N/A N/A C:\Windows\SysWOW64\a1c69.exe N/A
N/A N/A C:\Windows\SysWOW64\1b0a1.exe N/A
N/A N/A C:\Windows\SysWOW64\e8944.exe N/A
N/A N/A C:\Windows\SysWOW64\54bc0.exe N/A
N/A N/A C:\Windows\SysWOW64\eac73.exe N/A
N/A N/A C:\Windows\SysWOW64\47exx.exe N/A
N/A N/A C:\Windows\SysWOW64\0262b.exe N/A
N/A N/A C:\Windows\SysWOW64\773ec.exe N/A
N/A N/A C:\Windows\SysWOW64\ead56.exe N/A
N/A N/A C:\Windows\SysWOW64\280c4.exe N/A
N/A N/A C:\Windows\SysWOW64\4c569.exe N/A
N/A N/A C:\Windows\SysWOW64\a223b.exe N/A
N/A N/A C:\Windows\SysWOW64\31243.exe N/A
N/A N/A C:\Windows\SysWOW64\96e14.exe N/A
N/A N/A C:\Windows\SysWOW64\ba659.exe N/A
N/A N/A C:\Windows\SysWOW64\99343.exe N/A
N/A N/A C:\Windows\SysWOW64\82a62.exe N/A
N/A N/A C:\Windows\SysWOW64\debee.exe N/A
N/A N/A C:\Windows\SysWOW64\bbxd2.exe N/A
N/A N/A C:\Windows\SysWOW64\32ca3.exe N/A
N/A N/A C:\Windows\SysWOW64\e6e14.exe N/A
N/A N/A C:\Windows\SysWOW64\c5bxd.exe N/A
N/A N/A C:\Windows\SysWOW64\a57e4.exe N/A
N/A N/A C:\Windows\SysWOW64\ec5a6.exe N/A
N/A N/A C:\Windows\SysWOW64\d297d.exe N/A
N/A N/A C:\Windows\SysWOW64\e88a1.exe N/A
N/A N/A C:\Windows\SysWOW64\53bx9.exe N/A
N/A N/A C:\Windows\SysWOW64\519a2.exe N/A
N/A N/A C:\Windows\SysWOW64\c6673.exe N/A
N/A N/A C:\Windows\SysWOW64\4c4e4.exe N/A
N/A N/A C:\Windows\SysWOW64\c9992.exe N/A
N/A N/A C:\Windows\SysWOW64\c664a.exe N/A
N/A N/A C:\Windows\SysWOW64\9a99x.exe N/A
N/A N/A C:\Windows\SysWOW64\98748.exe N/A
N/A N/A C:\Windows\SysWOW64\49270.exe N/A
N/A N/A C:\Windows\SysWOW64\4b693.exe N/A
N/A N/A C:\Windows\SysWOW64\d3686.exe N/A
N/A N/A C:\Windows\SysWOW64\c68e9.exe N/A
N/A N/A C:\Windows\SysWOW64\be1c8.exe N/A
N/A N/A C:\Windows\SysWOW64\34e99.exe N/A
N/A N/A C:\Windows\SysWOW64\c737e.exe N/A
N/A N/A C:\Windows\SysWOW64\57a75.exe N/A
N/A N/A C:\Windows\SysWOW64\2582a.exe N/A
N/A N/A C:\Windows\SysWOW64\28a8e.exe N/A
N/A N/A C:\Windows\SysWOW64\x7778.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\25xa9.exe N/A
N/A N/A C:\Windows\SysWOW64\25xa9.exe N/A
N/A N/A C:\Windows\SysWOW64\c6c80.exe N/A
N/A N/A C:\Windows\SysWOW64\c6c80.exe N/A
N/A N/A C:\Windows\SysWOW64\9ad35.exe N/A
N/A N/A C:\Windows\SysWOW64\9ad35.exe N/A
N/A N/A C:\Windows\SysWOW64\a1c69.exe N/A
N/A N/A C:\Windows\SysWOW64\a1c69.exe N/A
N/A N/A C:\Windows\SysWOW64\1b0a1.exe N/A
N/A N/A C:\Windows\SysWOW64\1b0a1.exe N/A
N/A N/A C:\Windows\SysWOW64\e8944.exe N/A
N/A N/A C:\Windows\SysWOW64\e8944.exe N/A
N/A N/A C:\Windows\SysWOW64\54bc0.exe N/A
N/A N/A C:\Windows\SysWOW64\54bc0.exe N/A
N/A N/A C:\Windows\SysWOW64\eac73.exe N/A
N/A N/A C:\Windows\SysWOW64\eac73.exe N/A
N/A N/A C:\Windows\SysWOW64\47exx.exe N/A
N/A N/A C:\Windows\SysWOW64\47exx.exe N/A
N/A N/A C:\Windows\SysWOW64\0262b.exe N/A
N/A N/A C:\Windows\SysWOW64\0262b.exe N/A
N/A N/A C:\Windows\SysWOW64\773ec.exe N/A
N/A N/A C:\Windows\SysWOW64\773ec.exe N/A
N/A N/A C:\Windows\SysWOW64\ead56.exe N/A
N/A N/A C:\Windows\SysWOW64\ead56.exe N/A
N/A N/A C:\Windows\SysWOW64\280c4.exe N/A
N/A N/A C:\Windows\SysWOW64\280c4.exe N/A
N/A N/A C:\Windows\SysWOW64\4c569.exe N/A
N/A N/A C:\Windows\SysWOW64\4c569.exe N/A
N/A N/A C:\Windows\SysWOW64\a223b.exe N/A
N/A N/A C:\Windows\SysWOW64\a223b.exe N/A
N/A N/A C:\Windows\SysWOW64\31243.exe N/A
N/A N/A C:\Windows\SysWOW64\31243.exe N/A
N/A N/A C:\Windows\SysWOW64\96e14.exe N/A
N/A N/A C:\Windows\SysWOW64\96e14.exe N/A
N/A N/A C:\Windows\SysWOW64\ba659.exe N/A
N/A N/A C:\Windows\SysWOW64\ba659.exe N/A
N/A N/A C:\Windows\SysWOW64\99343.exe N/A
N/A N/A C:\Windows\SysWOW64\99343.exe N/A
N/A N/A C:\Windows\SysWOW64\82a62.exe N/A
N/A N/A C:\Windows\SysWOW64\82a62.exe N/A
N/A N/A C:\Windows\SysWOW64\debee.exe N/A
N/A N/A C:\Windows\SysWOW64\debee.exe N/A
N/A N/A C:\Windows\SysWOW64\bbxd2.exe N/A
N/A N/A C:\Windows\SysWOW64\bbxd2.exe N/A
N/A N/A C:\Windows\SysWOW64\32ca3.exe N/A
N/A N/A C:\Windows\SysWOW64\32ca3.exe N/A
N/A N/A C:\Windows\SysWOW64\e6e14.exe N/A
N/A N/A C:\Windows\SysWOW64\e6e14.exe N/A
N/A N/A C:\Windows\SysWOW64\c5bxd.exe N/A
N/A N/A C:\Windows\SysWOW64\c5bxd.exe N/A
N/A N/A C:\Windows\SysWOW64\a57e4.exe N/A
N/A N/A C:\Windows\SysWOW64\a57e4.exe N/A
N/A N/A C:\Windows\SysWOW64\ec5a6.exe N/A
N/A N/A C:\Windows\SysWOW64\ec5a6.exe N/A
N/A N/A C:\Windows\SysWOW64\d297d.exe N/A
N/A N/A C:\Windows\SysWOW64\d297d.exe N/A
N/A N/A C:\Windows\SysWOW64\e88a1.exe N/A
N/A N/A C:\Windows\SysWOW64\e88a1.exe N/A
N/A N/A C:\Windows\SysWOW64\53bx9.exe N/A
N/A N/A C:\Windows\SysWOW64\53bx9.exe N/A
N/A N/A C:\Windows\SysWOW64\519a2.exe N/A
N/A N/A C:\Windows\SysWOW64\519a2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "x7778.exe" C:\Windows\SysWOW64\x7778.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\25xa9.exe C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\9ad35.exe N/A
File created C:\Windows\SysWOW64\2582a.exe C:\Windows\SysWOW64\57a75.exe N/A
File opened for modification C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\47exx.exe N/A
File created C:\Windows\SysWOW64\32ca3.exe C:\Windows\SysWOW64\bbxd2.exe N/A
File created C:\Windows\SysWOW64\debee.exe C:\Windows\SysWOW64\82a62.exe N/A
File created C:\Windows\SysWOW64\bbxd2.exe C:\Windows\SysWOW64\debee.exe N/A
File opened for modification C:\Windows\SysWOW64\32ca3.exe C:\Windows\SysWOW64\bbxd2.exe N/A
File created C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\9ad35.exe N/A
File created C:\Windows\SysWOW64\31243.exe C:\Windows\SysWOW64\a223b.exe N/A
File opened for modification C:\Windows\SysWOW64\4c4e4.exe C:\Windows\SysWOW64\c6673.exe N/A
File created C:\Windows\SysWOW64\x7778.exe C:\Windows\SysWOW64\28a8e.exe N/A
File opened for modification C:\Windows\SysWOW64\4c569.exe C:\Windows\SysWOW64\280c4.exe N/A
File created C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\4c569.exe N/A
File created C:\Windows\SysWOW64\1b0a1.exe C:\Windows\SysWOW64\a1c69.exe N/A
File created C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\47exx.exe N/A
File opened for modification C:\Windows\SysWOW64\be1c8.exe C:\Windows\SysWOW64\c68e9.exe N/A
File opened for modification C:\Windows\SysWOW64\e88a1.exe C:\Windows\SysWOW64\d297d.exe N/A
File opened for modification C:\Windows\SysWOW64\a57e4.exe C:\Windows\SysWOW64\c5bxd.exe N/A
File created C:\Windows\SysWOW64\e88a1.exe C:\Windows\SysWOW64\d297d.exe N/A
File created C:\Windows\SysWOW64\519a2.exe C:\Windows\SysWOW64\53bx9.exe N/A
File opened for modification C:\Windows\SysWOW64\c9992.exe C:\Windows\SysWOW64\4c4e4.exe N/A
File created C:\Windows\SysWOW64\98748.exe C:\Windows\SysWOW64\9a99x.exe N/A
File created C:\Windows\SysWOW64\99343.exe C:\Windows\SysWOW64\ba659.exe N/A
File opened for modification C:\Windows\SysWOW64\53bx9.exe C:\Windows\SysWOW64\e88a1.exe N/A
File created C:\Windows\SysWOW64\49270.exe C:\Windows\SysWOW64\98748.exe N/A
File opened for modification C:\Windows\SysWOW64\c5bxd.exe C:\Windows\SysWOW64\e6e14.exe N/A
File created C:\Windows\SysWOW64\53bx9.exe C:\Windows\SysWOW64\e88a1.exe N/A
File created C:\Windows\SysWOW64\4b693.exe C:\Windows\SysWOW64\49270.exe N/A
File created C:\Windows\SysWOW64\e6e14.exe C:\Windows\SysWOW64\32ca3.exe N/A
File opened for modification C:\Windows\SysWOW64\e6e14.exe C:\Windows\SysWOW64\32ca3.exe N/A
File opened for modification C:\Windows\SysWOW64\2582a.exe C:\Windows\SysWOW64\57a75.exe N/A
File created C:\Windows\SysWOW64\96e14.exe C:\Windows\SysWOW64\31243.exe N/A
File created C:\Windows\SysWOW64\c6673.exe C:\Windows\SysWOW64\519a2.exe N/A
File created C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\eac73.exe N/A
File created C:\Windows\SysWOW64\c9992.exe C:\Windows\SysWOW64\4c4e4.exe N/A
File created C:\Windows\SysWOW64\57a75.exe C:\Windows\SysWOW64\c737e.exe N/A
File created C:\Windows\SysWOW64\34e99.exe C:\Windows\SysWOW64\be1c8.exe N/A
File opened for modification C:\Windows\SysWOW64\82a62.exe C:\Windows\SysWOW64\99343.exe N/A
File created C:\Windows\SysWOW64\c5bxd.exe C:\Windows\SysWOW64\e6e14.exe N/A
File created C:\Windows\SysWOW64\9a99x.exe C:\Windows\SysWOW64\c664a.exe N/A
File opened for modification C:\Windows\SysWOW64\bbxd2.exe C:\Windows\SysWOW64\debee.exe N/A
File created C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\773ec.exe N/A
File opened for modification C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\4c569.exe N/A
File created C:\Windows\SysWOW64\ba659.exe C:\Windows\SysWOW64\96e14.exe N/A
File created C:\Windows\SysWOW64\ec5a6.exe C:\Windows\SysWOW64\a57e4.exe N/A
File opened for modification C:\Windows\SysWOW64\ec5a6.exe C:\Windows\SysWOW64\a57e4.exe N/A
File opened for modification C:\Windows\SysWOW64\34e99.exe C:\Windows\SysWOW64\be1c8.exe N/A
File created C:\Windows\SysWOW64\82a62.exe C:\Windows\SysWOW64\99343.exe N/A
File opened for modification C:\Windows\SysWOW64\54bc0.exe C:\Windows\SysWOW64\e8944.exe N/A
File created C:\Windows\SysWOW64\eac73.exe C:\Windows\SysWOW64\54bc0.exe N/A
File opened for modification C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\773ec.exe N/A
File created C:\Windows\SysWOW64\d297d.exe C:\Windows\SysWOW64\ec5a6.exe N/A
File opened for modification C:\Windows\SysWOW64\4b693.exe C:\Windows\SysWOW64\49270.exe N/A
File created C:\Windows\SysWOW64\c737e.exe C:\Windows\SysWOW64\34e99.exe N/A
File opened for modification C:\Windows\SysWOW64\99343.exe C:\Windows\SysWOW64\ba659.exe N/A
File opened for modification C:\Windows\SysWOW64\28a8e.exe C:\Windows\SysWOW64\2582a.exe N/A
File opened for modification C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\eac73.exe N/A
File opened for modification C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\ead56.exe N/A
File opened for modification C:\Windows\SysWOW64\9a99x.exe C:\Windows\SysWOW64\c664a.exe N/A
File opened for modification C:\Windows\SysWOW64\c737e.exe C:\Windows\SysWOW64\34e99.exe N/A
File opened for modification C:\Windows\SysWOW64\57a75.exe C:\Windows\SysWOW64\c737e.exe N/A
File opened for modification C:\Windows\SysWOW64\9ad35.exe C:\Windows\SysWOW64\c6c80.exe N/A
File created C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\ead56.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 560031000000000000000000170073797374656d333200003e0008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000730079007300740065006d0033003200000018000000 C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff C:\Windows\SysWOW64\x7778.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "2" C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 520031000000000000000000100057696e646f7773003c0008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000570069006e0064006f0077007300000016000000 C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\SysWOW64\x7778.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Windows\SysWOW64\x7778.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\SysWOW64\x7778.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 C:\Windows\SysWOW64\x7778.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\SysWOW64\25xa9.exe N/A
N/A N/A C:\Windows\SysWOW64\c6c80.exe N/A
N/A N/A C:\Windows\SysWOW64\9ad35.exe N/A
N/A N/A C:\Windows\SysWOW64\a1c69.exe N/A
N/A N/A C:\Windows\SysWOW64\1b0a1.exe N/A
N/A N/A C:\Windows\SysWOW64\e8944.exe N/A
N/A N/A C:\Windows\SysWOW64\54bc0.exe N/A
N/A N/A C:\Windows\SysWOW64\eac73.exe N/A
N/A N/A C:\Windows\SysWOW64\47exx.exe N/A
N/A N/A C:\Windows\SysWOW64\0262b.exe N/A
N/A N/A C:\Windows\SysWOW64\773ec.exe N/A
N/A N/A C:\Windows\SysWOW64\ead56.exe N/A
N/A N/A C:\Windows\SysWOW64\280c4.exe N/A
N/A N/A C:\Windows\SysWOW64\4c569.exe N/A
N/A N/A C:\Windows\SysWOW64\a223b.exe N/A
N/A N/A C:\Windows\SysWOW64\31243.exe N/A
N/A N/A C:\Windows\SysWOW64\96e14.exe N/A
N/A N/A C:\Windows\SysWOW64\ba659.exe N/A
N/A N/A C:\Windows\SysWOW64\99343.exe N/A
N/A N/A C:\Windows\SysWOW64\82a62.exe N/A
N/A N/A C:\Windows\SysWOW64\debee.exe N/A
N/A N/A C:\Windows\SysWOW64\bbxd2.exe N/A
N/A N/A C:\Windows\SysWOW64\32ca3.exe N/A
N/A N/A C:\Windows\SysWOW64\e6e14.exe N/A
N/A N/A C:\Windows\SysWOW64\c5bxd.exe N/A
N/A N/A C:\Windows\SysWOW64\a57e4.exe N/A
N/A N/A C:\Windows\SysWOW64\ec5a6.exe N/A
N/A N/A C:\Windows\SysWOW64\d297d.exe N/A
N/A N/A C:\Windows\SysWOW64\e88a1.exe N/A
N/A N/A C:\Windows\SysWOW64\53bx9.exe N/A
N/A N/A C:\Windows\SysWOW64\519a2.exe N/A
N/A N/A C:\Windows\SysWOW64\c6673.exe N/A
N/A N/A C:\Windows\SysWOW64\4c4e4.exe N/A
N/A N/A C:\Windows\SysWOW64\c9992.exe N/A
N/A N/A C:\Windows\SysWOW64\c664a.exe N/A
N/A N/A C:\Windows\SysWOW64\9a99x.exe N/A
N/A N/A C:\Windows\SysWOW64\98748.exe N/A
N/A N/A C:\Windows\SysWOW64\49270.exe N/A
N/A N/A C:\Windows\SysWOW64\4b693.exe N/A
N/A N/A C:\Windows\SysWOW64\d3686.exe N/A
N/A N/A C:\Windows\SysWOW64\c68e9.exe N/A
N/A N/A C:\Windows\SysWOW64\be1c8.exe N/A
N/A N/A C:\Windows\SysWOW64\34e99.exe N/A
N/A N/A C:\Windows\SysWOW64\c737e.exe N/A
N/A N/A C:\Windows\SysWOW64\57a75.exe N/A
N/A N/A C:\Windows\SysWOW64\2582a.exe N/A
N/A N/A C:\Windows\SysWOW64\28a8e.exe N/A
N/A N/A C:\Windows\SysWOW64\x7778.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\25xa9.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\25xa9.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\25xa9.exe
PID 1720 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe C:\Windows\SysWOW64\25xa9.exe
PID 3068 wrote to memory of 2724 N/A C:\Windows\SysWOW64\25xa9.exe C:\Windows\SysWOW64\c6c80.exe
PID 3068 wrote to memory of 2724 N/A C:\Windows\SysWOW64\25xa9.exe C:\Windows\SysWOW64\c6c80.exe
PID 3068 wrote to memory of 2724 N/A C:\Windows\SysWOW64\25xa9.exe C:\Windows\SysWOW64\c6c80.exe
PID 3068 wrote to memory of 2724 N/A C:\Windows\SysWOW64\25xa9.exe C:\Windows\SysWOW64\c6c80.exe
PID 2724 wrote to memory of 2180 N/A C:\Windows\SysWOW64\c6c80.exe C:\Windows\SysWOW64\9ad35.exe
PID 2724 wrote to memory of 2180 N/A C:\Windows\SysWOW64\c6c80.exe C:\Windows\SysWOW64\9ad35.exe
PID 2724 wrote to memory of 2180 N/A C:\Windows\SysWOW64\c6c80.exe C:\Windows\SysWOW64\9ad35.exe
PID 2724 wrote to memory of 2180 N/A C:\Windows\SysWOW64\c6c80.exe C:\Windows\SysWOW64\9ad35.exe
PID 2180 wrote to memory of 2700 N/A C:\Windows\SysWOW64\9ad35.exe C:\Windows\SysWOW64\a1c69.exe
PID 2180 wrote to memory of 2700 N/A C:\Windows\SysWOW64\9ad35.exe C:\Windows\SysWOW64\a1c69.exe
PID 2180 wrote to memory of 2700 N/A C:\Windows\SysWOW64\9ad35.exe C:\Windows\SysWOW64\a1c69.exe
PID 2180 wrote to memory of 2700 N/A C:\Windows\SysWOW64\9ad35.exe C:\Windows\SysWOW64\a1c69.exe
PID 2700 wrote to memory of 2432 N/A C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\1b0a1.exe
PID 2700 wrote to memory of 2432 N/A C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\1b0a1.exe
PID 2700 wrote to memory of 2432 N/A C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\1b0a1.exe
PID 2700 wrote to memory of 2432 N/A C:\Windows\SysWOW64\a1c69.exe C:\Windows\SysWOW64\1b0a1.exe
PID 2432 wrote to memory of 944 N/A C:\Windows\SysWOW64\1b0a1.exe C:\Windows\SysWOW64\e8944.exe
PID 2432 wrote to memory of 944 N/A C:\Windows\SysWOW64\1b0a1.exe C:\Windows\SysWOW64\e8944.exe
PID 2432 wrote to memory of 944 N/A C:\Windows\SysWOW64\1b0a1.exe C:\Windows\SysWOW64\e8944.exe
PID 2432 wrote to memory of 944 N/A C:\Windows\SysWOW64\1b0a1.exe C:\Windows\SysWOW64\e8944.exe
PID 944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\e8944.exe C:\Windows\SysWOW64\54bc0.exe
PID 944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\e8944.exe C:\Windows\SysWOW64\54bc0.exe
PID 944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\e8944.exe C:\Windows\SysWOW64\54bc0.exe
PID 944 wrote to memory of 2308 N/A C:\Windows\SysWOW64\e8944.exe C:\Windows\SysWOW64\54bc0.exe
PID 2308 wrote to memory of 1344 N/A C:\Windows\SysWOW64\54bc0.exe C:\Windows\SysWOW64\eac73.exe
PID 2308 wrote to memory of 1344 N/A C:\Windows\SysWOW64\54bc0.exe C:\Windows\SysWOW64\eac73.exe
PID 2308 wrote to memory of 1344 N/A C:\Windows\SysWOW64\54bc0.exe C:\Windows\SysWOW64\eac73.exe
PID 2308 wrote to memory of 1344 N/A C:\Windows\SysWOW64\54bc0.exe C:\Windows\SysWOW64\eac73.exe
PID 1344 wrote to memory of 2000 N/A C:\Windows\SysWOW64\eac73.exe C:\Windows\SysWOW64\47exx.exe
PID 1344 wrote to memory of 2000 N/A C:\Windows\SysWOW64\eac73.exe C:\Windows\SysWOW64\47exx.exe
PID 1344 wrote to memory of 2000 N/A C:\Windows\SysWOW64\eac73.exe C:\Windows\SysWOW64\47exx.exe
PID 1344 wrote to memory of 2000 N/A C:\Windows\SysWOW64\eac73.exe C:\Windows\SysWOW64\47exx.exe
PID 2000 wrote to memory of 1524 N/A C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\0262b.exe
PID 2000 wrote to memory of 1524 N/A C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\0262b.exe
PID 2000 wrote to memory of 1524 N/A C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\0262b.exe
PID 2000 wrote to memory of 1524 N/A C:\Windows\SysWOW64\47exx.exe C:\Windows\SysWOW64\0262b.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\773ec.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\773ec.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\773ec.exe
PID 1524 wrote to memory of 1908 N/A C:\Windows\SysWOW64\0262b.exe C:\Windows\SysWOW64\773ec.exe
PID 1908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\773ec.exe C:\Windows\SysWOW64\ead56.exe
PID 1908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\773ec.exe C:\Windows\SysWOW64\ead56.exe
PID 1908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\773ec.exe C:\Windows\SysWOW64\ead56.exe
PID 1908 wrote to memory of 2928 N/A C:\Windows\SysWOW64\773ec.exe C:\Windows\SysWOW64\ead56.exe
PID 2928 wrote to memory of 2412 N/A C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\280c4.exe
PID 2928 wrote to memory of 2412 N/A C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\280c4.exe
PID 2928 wrote to memory of 2412 N/A C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\280c4.exe
PID 2928 wrote to memory of 2412 N/A C:\Windows\SysWOW64\ead56.exe C:\Windows\SysWOW64\280c4.exe
PID 2412 wrote to memory of 2944 N/A C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\4c569.exe
PID 2412 wrote to memory of 2944 N/A C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\4c569.exe
PID 2412 wrote to memory of 2944 N/A C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\4c569.exe
PID 2412 wrote to memory of 2944 N/A C:\Windows\SysWOW64\280c4.exe C:\Windows\SysWOW64\4c569.exe
PID 2944 wrote to memory of 2572 N/A C:\Windows\SysWOW64\4c569.exe C:\Windows\SysWOW64\a223b.exe
PID 2944 wrote to memory of 2572 N/A C:\Windows\SysWOW64\4c569.exe C:\Windows\SysWOW64\a223b.exe
PID 2944 wrote to memory of 2572 N/A C:\Windows\SysWOW64\4c569.exe C:\Windows\SysWOW64\a223b.exe
PID 2944 wrote to memory of 2572 N/A C:\Windows\SysWOW64\4c569.exe C:\Windows\SysWOW64\a223b.exe
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\31243.exe
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\31243.exe
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\31243.exe
PID 2572 wrote to memory of 3048 N/A C:\Windows\SysWOW64\a223b.exe C:\Windows\SysWOW64\31243.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\25xa9.exe

"C:\Windows\system32\25xa9.exe" killauto~~8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe

C:\Windows\SysWOW64\c6c80.exe

"C:\Windows\system32\c6c80.exe" killauto~~25xa9.exe

C:\Windows\SysWOW64\9ad35.exe

"C:\Windows\system32\9ad35.exe" killauto~~c6c80.exe

C:\Windows\SysWOW64\a1c69.exe

"C:\Windows\system32\a1c69.exe" killauto~~9ad35.exe

C:\Windows\SysWOW64\1b0a1.exe

"C:\Windows\system32\1b0a1.exe" killauto~~a1c69.exe

C:\Windows\SysWOW64\e8944.exe

"C:\Windows\system32\e8944.exe" killauto~~1b0a1.exe

C:\Windows\SysWOW64\54bc0.exe

"C:\Windows\system32\54bc0.exe" killauto~~e8944.exe

C:\Windows\SysWOW64\eac73.exe

"C:\Windows\system32\eac73.exe" killauto~~54bc0.exe

C:\Windows\SysWOW64\47exx.exe

"C:\Windows\system32\47exx.exe" killauto~~eac73.exe

C:\Windows\SysWOW64\0262b.exe

"C:\Windows\system32\0262b.exe" killauto~~47exx.exe

C:\Windows\SysWOW64\773ec.exe

"C:\Windows\system32\773ec.exe" killauto~~0262b.exe

C:\Windows\SysWOW64\ead56.exe

"C:\Windows\system32\ead56.exe" killauto~~773ec.exe

C:\Windows\SysWOW64\280c4.exe

"C:\Windows\system32\280c4.exe" killauto~~ead56.exe

C:\Windows\SysWOW64\4c569.exe

"C:\Windows\system32\4c569.exe" killauto~~280c4.exe

C:\Windows\SysWOW64\a223b.exe

"C:\Windows\system32\a223b.exe" killauto~~4c569.exe

C:\Windows\SysWOW64\31243.exe

"C:\Windows\system32\31243.exe" killauto~~a223b.exe

C:\Windows\SysWOW64\96e14.exe

"C:\Windows\system32\96e14.exe" killauto~~31243.exe

C:\Windows\SysWOW64\ba659.exe

"C:\Windows\system32\ba659.exe" killauto~~96e14.exe

C:\Windows\SysWOW64\99343.exe

"C:\Windows\system32\99343.exe" killauto~~ba659.exe

C:\Windows\SysWOW64\82a62.exe

"C:\Windows\system32\82a62.exe" killauto~~99343.exe

C:\Windows\SysWOW64\debee.exe

"C:\Windows\system32\debee.exe" killauto~~82a62.exe

C:\Windows\SysWOW64\bbxd2.exe

"C:\Windows\system32\bbxd2.exe" killauto~~debee.exe

C:\Windows\SysWOW64\32ca3.exe

"C:\Windows\system32\32ca3.exe" killauto~~bbxd2.exe

C:\Windows\SysWOW64\e6e14.exe

"C:\Windows\system32\e6e14.exe" killauto~~32ca3.exe

C:\Windows\SysWOW64\c5bxd.exe

"C:\Windows\system32\c5bxd.exe" killauto~~e6e14.exe

C:\Windows\SysWOW64\a57e4.exe

"C:\Windows\system32\a57e4.exe" killauto~~c5bxd.exe

C:\Windows\SysWOW64\ec5a6.exe

"C:\Windows\system32\ec5a6.exe" killauto~~a57e4.exe

C:\Windows\SysWOW64\d297d.exe

"C:\Windows\system32\d297d.exe" killauto~~ec5a6.exe

C:\Windows\SysWOW64\e88a1.exe

"C:\Windows\system32\e88a1.exe" killauto~~d297d.exe

C:\Windows\SysWOW64\53bx9.exe

"C:\Windows\system32\53bx9.exe" killauto~~e88a1.exe

C:\Windows\SysWOW64\519a2.exe

"C:\Windows\system32\519a2.exe" killauto~~53bx9.exe

C:\Windows\SysWOW64\c6673.exe

"C:\Windows\system32\c6673.exe" killauto~~519a2.exe

C:\Windows\SysWOW64\4c4e4.exe

"C:\Windows\system32\4c4e4.exe" killauto~~c6673.exe

C:\Windows\SysWOW64\c9992.exe

"C:\Windows\system32\c9992.exe" killauto~~4c4e4.exe

C:\Windows\SysWOW64\c664a.exe

"C:\Windows\system32\c664a.exe" killauto~~c9992.exe

C:\Windows\SysWOW64\9a99x.exe

"C:\Windows\system32\9a99x.exe" killauto~~c664a.exe

C:\Windows\SysWOW64\98748.exe

"C:\Windows\system32\98748.exe" killauto~~9a99x.exe

C:\Windows\SysWOW64\49270.exe

"C:\Windows\system32\49270.exe" killauto~~98748.exe

C:\Windows\SysWOW64\4b693.exe

"C:\Windows\system32\4b693.exe" killauto~~49270.exe

C:\Windows\SysWOW64\d3686.exe

"C:\Windows\system32\d3686.exe" killauto~~4b693.exe

C:\Windows\SysWOW64\c68e9.exe

"C:\Windows\system32\c68e9.exe" killauto~~d3686.exe

C:\Windows\SysWOW64\be1c8.exe

"C:\Windows\system32\be1c8.exe" killauto~~c68e9.exe

C:\Windows\SysWOW64\34e99.exe

"C:\Windows\system32\34e99.exe" killauto~~be1c8.exe

C:\Windows\SysWOW64\c737e.exe

"C:\Windows\system32\c737e.exe" killauto~~34e99.exe

C:\Windows\SysWOW64\57a75.exe

"C:\Windows\system32\57a75.exe" killauto~~c737e.exe

C:\Windows\SysWOW64\2582a.exe

"C:\Windows\system32\2582a.exe" killauto~~57a75.exe

C:\Windows\SysWOW64\28a8e.exe

"C:\Windows\system32\28a8e.exe" killauto~~2582a.exe

C:\Windows\SysWOW64\x7778.exe

"C:\Windows\system32\x7778.exe" killauto~~28a8e.exe

Network

N/A

Files

memory/1720-0-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\25xa9.exe

MD5 f0b7b95cb03f68352ec78e269a22c5bb
SHA1 628ae95276a0cb58a2d9c4c722ca240d84727721
SHA256 c0ef378433422337e58e18d8817591352900a3f496d8880cda5fb9c237040d71
SHA512 f2be8d2ae058cdc49e6d90245ff15181283dc7a2340fc8447a5c57c7efc234a4e150a28d1425d261fbe96f67a8f1a605d97959d4f4bdde1ed9c007a0ea4caa1f

memory/3068-16-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1720-17-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\c6c80.exe

MD5 b961dcc0c4de500862d8e63cd0cace87
SHA1 cbcd696168fb26c33fe60a8912a4b58fb2029cd7
SHA256 e46f9063885f8cc41aafc52433bd8e4bab6bdae9859f164cfc77a9ca98e6fca8
SHA512 0b89ee5ee72cc7d5a611379b925aa8288b477b7f14dd05997754fc15caed1d3dd0bd2fb0079783d558b8aa24ec2530090035496f6604f622890fa6bd19203246

memory/3068-31-0x0000000003DB0000-0x0000000003DF2000-memory.dmp

memory/3068-30-0x0000000003DB0000-0x0000000003DF2000-memory.dmp

memory/3068-34-0x0000000000400000-0x0000000000442000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\SysWOW64\9ad35.exe

MD5 1600ee29842add2677f043a365f97473
SHA1 10fe7e94f806a1da08ae8a0b78f41baee98ee3d4
SHA256 303c20374b0823e3a6cb37c880d4774e6ba0d1c67f6f73cddc4b2b1628e79281
SHA512 f58d74b0e339fce6fbb6debf6d2184eb8b28dc9fa2fe7a497d33130cf3b8260bfb7c1d6985b95d8b5a3cd852bdd353929e6d7a345e810fd4979e5cb0cc80ab5a

memory/2724-48-0x0000000003FB0000-0x0000000003FF2000-memory.dmp

memory/2724-51-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\a1c69.exe

MD5 a4a2414f4b7c2ac8b4d28e03fe6dfcfc
SHA1 adbb39249e9efc7c7f20d1d65b81816cefedc625
SHA256 89743c186d6a3cc6ab5798d740fae7b3f4e9554a1ce55cebc4797816928844f8
SHA512 fef91f77345403515fc42cf2f02af5fd6d89970745d66d5ea789c0632f70104d21acffbe6d7baf759b08184fdb3b46c8e3a797b2e60853c0d70df04ddf868a5d

memory/2180-64-0x0000000003B00000-0x0000000003B42000-memory.dmp

memory/2180-65-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\1b0a1.exe

MD5 da83095dcc8beea491baa8199124b4fb
SHA1 5282cb1f788d65d06813345215ee6b1deee9f042
SHA256 f3a62b38cc25dad696aa2137e3ff61735aed7c567b0ed45634f7af558f62c655
SHA512 3fcf3b0ae2d5e1209cdfead80f0d4c8827144dacb0bd642ea33378e02f9632fd9a725df6c9e6716311776f7a9317630c3682507caa4d2f2bcf0563e085a55ceb

memory/2700-81-0x0000000003B70000-0x0000000003BB2000-memory.dmp

memory/2700-84-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2432-96-0x0000000003D70000-0x0000000003DB2000-memory.dmp

memory/2432-98-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\54bc0.exe

MD5 baa1eb27357586947afec437851db95c
SHA1 1bfbe408d3e3e0dcbdbbf68bab40380d724ba751
SHA256 892c5dae55bfde39fb6d21414d7cce243c67f6928909fdc1facfe3d6e7962260
SHA512 4d889d69fb567194ba86230d8e5345f0924d98945066bc04f2a83ca7db40fbe3a8c8bc125aa33ed10f58bdbc571e1d162512c1c6b618860aad22d49577fd94d9

memory/944-115-0x0000000000400000-0x0000000000442000-memory.dmp

memory/944-114-0x0000000003A80000-0x0000000003AC2000-memory.dmp

\Windows\SysWOW64\eac73.exe

MD5 18c56327d87b2b5ba1a7b7e5ef54e98c
SHA1 108a89fe509b5fd4f37e46e807e658a00967d1b2
SHA256 75717f5ea2b029567a2393c2863f74c89bb699d903c3d4899f062ca82826b7d1
SHA512 6a55acebcd9735d232ccc154ad81c40dbdec222188c5a434a0d6974b0ecb984789fe29da15212b0bba6690b3d163e0c23691fb7f196ab6b01a6b7d53eb9c3fd0

memory/2308-130-0x0000000003CD0000-0x0000000003D12000-memory.dmp

memory/1344-145-0x0000000003D20000-0x0000000003D62000-memory.dmp

memory/2000-160-0x0000000003E10000-0x0000000003E52000-memory.dmp

memory/2000-162-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\773ec.exe

MD5 a5614a22a778cce9ef6daedd2fb7c0dc
SHA1 a3cfb119cbb1920b08c2c279172556028301563a
SHA256 714636e65f3efaaa8ed5990c62a8c9cb3ea44a21a1819da41da84a18132d0c0b
SHA512 e3360c380f8fa12e0cb6441591416d5fa3d71a9d84a7f8721621e998891a2bf767338bb2401a5eb42fc9349f03c43e36a8a56461f503b0351b8afe99f3fdc650

memory/1524-178-0x0000000004050000-0x0000000004092000-memory.dmp

memory/1524-180-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\ead56.exe

MD5 0b694ba476e443f9b60d0df2ff88fa78
SHA1 21fa7a3998206958f3c2d64e8bdf7ad16232868c
SHA256 1cae33834d9b2f52a8f87988d8d0321f77f6cc64b9c1b3eca37a7645e2aabad4
SHA512 76756436553d5803dd8e81c616c2aa3f4cd05d6d0d06974806e1ac0ecf29d16329339b2533279995c35c50108d73ebeb9f3697c4b5ef8029ecc10f825b93b787

memory/1908-193-0x0000000003D50000-0x0000000003D92000-memory.dmp

memory/2928-197-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2412-214-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2928-213-0x0000000003D90000-0x0000000003DD2000-memory.dmp

memory/2928-212-0x0000000003D90000-0x0000000003DD2000-memory.dmp

memory/2928-215-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\4c569.exe

MD5 d935836577448ef2e89649c47d8d53e6
SHA1 837daee751c80a4c2bbc742b5fc48c54460496d5
SHA256 b7215ba3eeaf3274f929a1e43eabc90125986122c268b2cb5ef3e1b954199508
SHA512 f31f175663d62b09e8e0352d159fbb2a2ee5ff76ad9b00d99980936a672feba6d7d3ec9a69e282cdcb9065279a124792c1ded923ce76e43efd1defe36d21ecf0

memory/2412-231-0x0000000000400000-0x0000000000442000-memory.dmp

\Windows\SysWOW64\a223b.exe

MD5 feb888fe284e02f45529903276c15aaf
SHA1 84c5f4890b42917c1d480f1302438a20029c1e3f
SHA256 9fec769b7f29d1b155eec0bfbd3f4297e78b90e69f4275b352ede8ee7a8a4103
SHA512 e21f084ada55a967348c67fd44a34a9e09199775fceef90add455529cfb46732a72cd943b4e95ee64276198ef98d570ea814772da20a600c0108903431e1ee12

memory/2944-244-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2572-245-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2572-255-0x0000000003D80000-0x0000000003DC2000-memory.dmp

memory/2572-254-0x0000000003D80000-0x0000000003DC2000-memory.dmp

memory/2572-258-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3048-269-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3048-268-0x0000000003DE0000-0x0000000003E22000-memory.dmp

memory/3048-267-0x0000000003DE0000-0x0000000003E22000-memory.dmp

memory/2792-280-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3024-293-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1716-302-0x0000000003FD0000-0x0000000004012000-memory.dmp

memory/2148-313-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2320-321-0x0000000003E40000-0x0000000003E82000-memory.dmp

memory/1396-335-0x0000000003C70000-0x0000000003CB2000-memory.dmp

memory/412-347-0x00000000041F0000-0x0000000004232000-memory.dmp

memory/412-350-0x0000000000400000-0x0000000000442000-memory.dmp

memory/412-346-0x00000000041F0000-0x0000000004232000-memory.dmp

memory/2104-362-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1896-361-0x0000000003C70000-0x0000000003CB2000-memory.dmp

memory/1896-363-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2104-374-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1556-385-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1628-386-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1628-395-0x0000000003BB0000-0x0000000003BF2000-memory.dmp

memory/1596-407-0x0000000003BD0000-0x0000000003C12000-memory.dmp

memory/1596-406-0x0000000003BD0000-0x0000000003C12000-memory.dmp

memory/1596-410-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2560-430-0x0000000003C60000-0x0000000003CA2000-memory.dmp

memory/2560-429-0x0000000003C60000-0x0000000003CA2000-memory.dmp

memory/2124-438-0x0000000003F40000-0x0000000003F82000-memory.dmp

memory/1368-445-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2124-444-0x0000000003F40000-0x0000000003F82000-memory.dmp

memory/2124-446-0x0000000000400000-0x0000000000442000-memory.dmp

memory/636-459-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1368-458-0x0000000003BC0000-0x0000000003C02000-memory.dmp

memory/1368-457-0x0000000003BC0000-0x0000000003C02000-memory.dmp

memory/636-469-0x0000000003C30000-0x0000000003C72000-memory.dmp

memory/636-468-0x0000000003C30000-0x0000000003C72000-memory.dmp

memory/1572-483-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1864-482-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1572-493-0x0000000003E90000-0x0000000003ED2000-memory.dmp

memory/1572-492-0x0000000003E90000-0x0000000003ED2000-memory.dmp

memory/1572-496-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1640-505-0x0000000003AC0000-0x0000000003B02000-memory.dmp

memory/488-508-0x0000000000400000-0x0000000000442000-memory.dmp

memory/488-517-0x0000000003EA0000-0x0000000003EE2000-memory.dmp

memory/488-518-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1544-531-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1544-540-0x0000000003B20000-0x0000000003B62000-memory.dmp

memory/1604-553-0x0000000003C50000-0x0000000003C92000-memory.dmp

memory/1896-554-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1896-563-0x0000000003C20000-0x0000000003C62000-memory.dmp

memory/1896-564-0x0000000000400000-0x0000000000442000-memory.dmp

memory/808-578-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2100-577-0x0000000000400000-0x0000000000442000-memory.dmp

memory/808-588-0x0000000000400000-0x0000000000442000-memory.dmp

memory/808-584-0x0000000003CB0000-0x0000000003CF2000-memory.dmp

memory/1072-591-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1072-600-0x0000000003AB0000-0x0000000003AF2000-memory.dmp

memory/2600-623-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2600-632-0x0000000003D90000-0x0000000003DD2000-memory.dmp

memory/1604-635-0x0000000003C50000-0x0000000003C92000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:17

Reported

2024-06-13 22:20

Platform

win10v2004-20240508-en

Max time kernel

62s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\3063a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\bdae9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\ded27.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ded27.exe N/A
N/A N/A C:\Windows\SysWOW64\3063a.exe N/A
N/A N/A C:\Windows\SysWOW64\bdae9.exe N/A
N/A N/A C:\Windows\SysWOW64\c77e9.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "c77e9.exe" C:\Windows\SysWOW64\c77e9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ded27.exe C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ded27.exe C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\3063a.exe C:\Windows\SysWOW64\ded27.exe N/A
File opened for modification C:\Windows\SysWOW64\3063a.exe C:\Windows\SysWOW64\ded27.exe N/A
File created C:\Windows\SysWOW64\c77e9.exe C:\Windows\SysWOW64\bdae9.exe N/A
File opened for modification C:\Windows\SysWOW64\c77e9.exe C:\Windows\SysWOW64\bdae9.exe N/A
File created C:\Windows\SysWOW64\bdae9.exe C:\Windows\SysWOW64\3063a.exe N/A
File opened for modification C:\Windows\SysWOW64\bdae9.exe C:\Windows\SysWOW64\3063a.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\c77e9.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\bdae9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\c77e9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\ded27.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\3063a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\3063a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\SysWOW64\ded27.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\bdae9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe"

C:\Windows\SysWOW64\ded27.exe

"C:\Windows\system32\ded27.exe" killauto~~8b72093836c160ad44c28056948f9300_NeikiAnalytics.exe

C:\Windows\SysWOW64\3063a.exe

"C:\Windows\system32\3063a.exe" killauto~~ded27.exe

C:\Windows\SysWOW64\bdae9.exe

"C:\Windows\system32\bdae9.exe" killauto~~3063a.exe

C:\Windows\SysWOW64\c77e9.exe

"C:\Windows\system32\c77e9.exe" killauto~~bdae9.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Files

memory/2216-0-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\ded27.exe

MD5 8b72093836c160ad44c28056948f9300
SHA1 52733e0c7abd33536dd8a6017d007b0cdd20b622
SHA256 dd32a6a31c72d15f336ba83dcc04e8704eb60b70f1a0d3487895d2802106bb34
SHA512 c6ea1e62fba733b00703fe59b4a8aea45096d9a7de539bfba3a87b34c2deebfe35efb81a2b8260990d36120cadefa48ae33c5aa44985c727857ee6e66ea25bae

memory/4400-37-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2216-40-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4400-77-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Windows\SysWOW64\bdae9.exe

MD5 0c9dfc5859955a58297fc43fe2655692
SHA1 2b4bc09cddedb06fa578d17a6e8a873f32190f72
SHA256 73dc725f197f244908056494690bbf938c328173dd90ab8912a5aa8ba861e730
SHA512 86c7dfb78748720ade448bb0c875ffdbebe4be4bb4004cb38e699cf316e0452d831734a0365bd45cd22ada69f93cd69a8b01d54cd77c2fdcef1ab847e804cd7d

memory/1964-112-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3892-149-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3480-152-0x0000000000400000-0x0000000000442000-memory.dmp