Analysis Overview
SHA256
057db4e22fafc7beb6b3a32b36c726edf94a23c774aefaf25d09866332b34f40
Threat Level: Known bad
The file 5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:46
Reported
2024-06-13 02:48
Platform
win7-20231129-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\zeeowud.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\zeeowud.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /q" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /w" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /j" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /z" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /g" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /d" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /h" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /o" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /w" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /p" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /c" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /f" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /e" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /r" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /y" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /v" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /v" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /n" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /j" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /k" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /n" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /u" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /y" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /m" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /f" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /d" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /t" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /a" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /i" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /o" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /t" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /s" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /e" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /r" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /z" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /l" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /b" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /u" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /p" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /g" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /h" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /l" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /m" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /k" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /c" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /x" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /b" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /t" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /s" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /i" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /m" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /q" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /a" | C:\Users\Admin\zeeowud.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zeeowud = "C:\\Users\\Admin\\zeeowud.exe /x" | C:\Users\Admin\zeeowud.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\zeeowud.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\zeeowud.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\zeeowud.exe |
| PID 3024 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\zeeowud.exe |
| PID 3024 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\zeeowud.exe |
| PID 3024 wrote to memory of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\zeeowud.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe"
C:\Users\Admin\zeeowud.exe
"C:\Users\Admin\zeeowud.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.helpupdated.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.net | udp |
| US | 104.155.138.21:8000 | ns1.helpupdates.net | tcp |
Files
C:\Users\Admin\zeeowud.exe
| MD5 | 92985c61d13ad4b3eaec75896a09be81 |
| SHA1 | 4729d43978e8129be54efd9a7294a8c149c663a2 |
| SHA256 | 4cfa308222c0a054f0b648e9072db05c6a560c4d51c2da7b3a7a76606697f876 |
| SHA512 | 325c9e8f045dde881f2e5648002ad1e723bc2b9aef593a1be6f7eddc3bdbad249f1111c5000c7093be4cf3fd11fd63711268e7da71cf8bbbe1694805b0e45c97 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 02:46
Reported
2024-06-13 02:48
Platform
win10v2004-20240508-en
Max time kernel
118s
Max time network
148s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\ziaita.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ziaita.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /u" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /r" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /i" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /s" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /z" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /c" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /k" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /l" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /f" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /z" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /e" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /b" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /h" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /v" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /q" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /d" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /i" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /g" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /g" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /y" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /e" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /f" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /j" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /c" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /w" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /n" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /a" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /b" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /a" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /t" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /o" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /w" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /h" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /j" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /r" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /x" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /t" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /q" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /m" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /v" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /u" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /y" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /c" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /n" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /m" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /o" | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /p" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /d" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /o" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /p" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /x" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /l" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /k" | C:\Users\Admin\ziaita.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ziaita = "C:\\Users\\Admin\\ziaita.exe /s" | C:\Users\Admin\ziaita.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\ziaita.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\ziaita.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 640 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\ziaita.exe |
| PID 640 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\ziaita.exe |
| PID 640 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe | C:\Users\Admin\ziaita.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5840c1688f54eb98308d33aba1e3b0f0_NeikiAnalytics.exe"
C:\Users\Admin\ziaita.exe
"C:\Users\Admin\ziaita.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.helpupdater.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdater.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdater.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdater.net | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.org | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdates.com | udp |
| US | 8.8.8.8:53 | ns1.helpupdated.org | udp |
Files
C:\Users\Admin\ziaita.exe
| MD5 | 4d9c07cde6a28aa5f94acb47e42ae300 |
| SHA1 | d3088fc3bd082b8ca0e8f61306c6249d4144a810 |
| SHA256 | fae5698405f0758ad6d1dc5b4a31de909f383a1eda483898374d4b4e262d2e7b |
| SHA512 | de000aa6370c424f7a4c321c415b73dcdbf19540ee6f336272d2d1782605ec1b7cdd81799c35b9300c9fa42cbaa7f9b1a45ddedf87c3598da3b37213b4551bbd |