0f8c1fde7835deb96a07cb49c5e9c4e6678376663988fcade656b69cb9ad8fe6

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
Size

73KB
MD5

80e1270ec98ef88546108876dc62e490
SHA1

405faa42a8f1aa30f725fa1085cbf37047aee980
SHA256

0f8c1fde7835deb96a07cb49c5e9c4e6678376663988fcade656b69cb9ad8fe6
SHA512

4ec8d110ee2df2f77f9c04a7eac9f9372f5a2ebddec4a61e1ac2902774911923839a7bf60a52d261a647477f069cc7e2e2e3c14208a52893dc567be33a0bdcbb
SSDEEP

1536:x3jgs+6phKAQx5c895P5Zxuyowea2eJYIuv1iahWuSxaqMXSmH:BTdphKRxR95P5Zhowea2yuv/hWuSxa9l

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eanvearoh-uted.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\StubPath = "C:\\Windows\\system32\\ulgapox.exe"	eanvearoh-uted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}	eanvearoh-uted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\IsInstalled = "1"	eanvearoh-uted.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	eanvearoh-uted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	eanvearoh-uted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\lvobok-eabid.exe"	eanvearoh-uted.exe

Executes dropped EXE 2 IoCs

pid	Process
2032	eanvearoh-uted.exe
2348	eanvearoh-uted.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	eanvearoh-uted.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	eanvearoh-uted.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	eanvearoh-uted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	eanvearoh-uted.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	eanvearoh-uted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	eanvearoh-uted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\uxgoateap.dll"	eanvearoh-uted.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lvobok-eabid.exe	eanvearoh-uted.exe
File created	C:\Windows\SysWOW64\uxgoateap.dll	eanvearoh-uted.exe
File opened for modification	C:\Windows\SysWOW64\eanvearoh-uted.exe	eanvearoh-uted.exe
File created	C:\Windows\SysWOW64\eanvearoh-uted.exe	80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\lvobok-eabid.exe	eanvearoh-uted.exe
File opened for modification	C:\Windows\SysWOW64\ulgapox.exe	eanvearoh-uted.exe
File created	C:\Windows\SysWOW64\ulgapox.exe	eanvearoh-uted.exe
File opened for modification	C:\Windows\SysWOW64\uxgoateap.dll	eanvearoh-uted.exe
File opened for modification	C:\Windows\SysWOW64\eanvearoh-uted.exe	80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2348	eanvearoh-uted.exe
2348	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe
2032	eanvearoh-uted.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	eanvearoh-uted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2032	4956	80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe	84
PID 4956 wrote to memory of 2032	4956	80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe	84
PID 4956 wrote to memory of 2032	4956	80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe	84
PID 2032 wrote to memory of 2348	2032	eanvearoh-uted.exe	85
PID 2032 wrote to memory of 2348	2032	eanvearoh-uted.exe	85
PID 2032 wrote to memory of 2348	2032	eanvearoh-uted.exe	85
PID 2032 wrote to memory of 616	2032	eanvearoh-uted.exe	5
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56
PID 2032 wrote to memory of 3480	2032	eanvearoh-uted.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\80e1270ec98ef88546108876dc62e490_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\eanvearoh-uted.exe
    "C:\Windows\SysWOW64\eanvearoh-uted.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\eanvearoh-uted.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eanvearoh-uted.exe

Filesize
71KB

MD5
62a1c2e92143b04db8b04cba7de882ae

SHA1
0e7cde87e133f441b7d4a9fcca14f9403e854863

SHA256
c602983438e58f291ace2f8435783e664de934c8d14533cb078012e367bc11b9

SHA512
a0e05ae7d9bb6b48851f0851548c2e31fd918f2e6f6c6c5c696efe76df1bbf7af23705a682f301384c22ffc47e7a20536d87fc6e0473ce3cb8134b09822baad6

Download Submit
C:\Windows\SysWOW64\lvobok-eabid.exe

Filesize
74KB

MD5
24a184421bb37d4e24baca8517507dbe

SHA1
74c966068723441b417cf9cc229691b9b3d0a44f

SHA256
112d52a113724b7e0d896496fb3e66960963a9e7ab556fc8e34e276fa1d39f07

SHA512
1a6bc03bfe017914ff24e39837c6bc85d629e2327c983866450f7557765ba6d28aafe28965f5d1d260d0fb9f83870630ed93a5d6d6ef99eda18ec1f4bd8c971e

Download Submit
C:\Windows\SysWOW64\ulgapox.exe

Filesize
73KB

MD5
709fc01200dee0de75b2606bbe42777c

SHA1
a354eb6676fbbef9bfb002e049d8b1fe1d45bbde

SHA256
99b716862f075f955e50851baab7d43632c08b6aefcbd62deba8e1231ec4afb7

SHA512
9ac787187001b40b4f96d6eafe22088f13890fb40b73cecd8f37f942d9c89e3d9037ebd4a7aff87565a765842ab07ea631d18ff56c163c5cb21d1af62d012e6d

Download Submit
C:\Windows\SysWOW64\uxgoateap.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
memory/2032-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4956-2-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download