Malware Analysis Report

2024-11-16 13:21

Sample ID 240614-dt777stbmd
Target 9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe
SHA256 a6c5a0caf5181c086963405c8488ce2169adb6f3707d7bcdcad118f2f3dba932
Tags
evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6c5a0caf5181c086963405c8488ce2169adb6f3707d7bcdcad118f2f3dba932

Threat Level: Known bad

The file 9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan

Windows security bypass

Modifies Installed Components in the registry

Sets file execution options in registry

Executes dropped EXE

Loads dropped DLL

Windows security modification

Modifies WinLogon

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:19

Reported

2024-06-14 03:21

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

96s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42} C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\IsInstalled = "1" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{544D5541-4342-4c42-544D-554143424c42}\StubPath = "C:\\Windows\\system32\\uhxoasoap.exe" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouvmutoog-umeas.exe" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\sradook-anoab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eadneahig.dll" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ouvmutoog-umeas.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File created C:\Windows\SysWOW64\uhxoasoap.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\eadneahig.dll C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\sradook-anoab.exe C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\sradook-anoab.exe C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ouvmutoog-umeas.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\uhxoasoap.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File created C:\Windows\SysWOW64\eadneahig.dll C:\Windows\SysWOW64\sradook-anoab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1848 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1848 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1792 wrote to memory of 616 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\system32\winlogon.exe
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 4412 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1792 wrote to memory of 4412 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1792 wrote to memory of 4412 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 1792 wrote to memory of 3424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\sradook-anoab.exe

"C:\Windows\system32\sradook-anoab.exe"

C:\Windows\SysWOW64\sradook-anoab.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 urieawj.mp udp
US 8.8.8.8:53 urieawj.mp udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\sradook-anoab.exe

MD5 9e342dc210b5f2e812ae8ceb6d7d2cc0
SHA1 becd9ccc3cd852779bb7b5d66bffe1408924c6f5
SHA256 a6c5a0caf5181c086963405c8488ce2169adb6f3707d7bcdcad118f2f3dba932
SHA512 ff31cbdef6247dbb110628af903a83dc73b9887f9332b0859c20047841bf7e06d4f8e78c090de6b1b4e765da1b212e1966df54bcd9bc832fe9a0811634d30850

memory/1848-5-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\uhxoasoap.exe

MD5 c6773424ce49b747108a6f731ffafe87
SHA1 3178a71a8e8b59cf8c692d8fc17be384ac299409
SHA256 7f0c8dda2ff2dbff4946b6b3e9dd4a169fcdd9af41002066cdf91629f4e3082e
SHA512 70ee116edb648c812520eb771248288c4c61eab65b237f8cb6ef30b027b7d48e9b2409e516f5296e2272d6b2864d17553af4e2f925192deb80d93dda0fdcd52b

C:\Windows\SysWOW64\ouvmutoog-umeas.exe

MD5 0687634ad6c8d381ad0042d05bb1937a
SHA1 842d23d60751749aeb8ed1cc7fbb68de5debf1b4
SHA256 4b8791e8f54f14d447992eeec0dd518b256dbf02190e48730852ab878a4efe1e
SHA512 f9786c755d980db204895c9e9a479c0c7279db3efb8349107176911f39c5606b51c80c175ca701d75af0a936ccab08442eb6ba0f01ba5baaa7913f754a8e17b8

C:\Windows\SysWOW64\eadneahig.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

memory/1792-49-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4412-50-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:19

Reported

2024-06-14 03:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

142s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450} C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\IsInstalled = "1" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{495A4B43-4b4f-5450-495A-4B434B4F5450}\StubPath = "C:\\Windows\\system32\\uhxoasoap.exe" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ouvmutoog-umeas.exe" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\sradook-anoab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eadneahig.dll" C:\Windows\SysWOW64\sradook-anoab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\sradook-anoab.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\eadneahig.dll C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\ouvmutoog-umeas.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\uhxoasoap.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File created C:\Windows\SysWOW64\ouvmutoog-umeas.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File created C:\Windows\SysWOW64\uhxoasoap.exe C:\Windows\SysWOW64\sradook-anoab.exe N/A
File created C:\Windows\SysWOW64\eadneahig.dll C:\Windows\SysWOW64\sradook-anoab.exe N/A
File opened for modification C:\Windows\SysWOW64\sradook-anoab.exe C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\sradook-anoab.exe C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A
N/A N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\sradook-anoab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 1972 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 2424 wrote to memory of 424 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\system32\winlogon.exe
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 2484 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 2424 wrote to memory of 2484 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 2424 wrote to memory of 2484 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 2424 wrote to memory of 2484 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\SysWOW64\sradook-anoab.exe
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1180 N/A C:\Windows\SysWOW64\sradook-anoab.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9e342dc210b5f2e812ae8ceb6d7d2cc0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\sradook-anoab.exe

"C:\Windows\system32\sradook-anoab.exe"

C:\Windows\SysWOW64\sradook-anoab.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 msraetwkwkl.vg udp
DE 88.198.29.97:80 msraetwkwkl.vg tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
US 34.193.97.35:80 utbidet-ugeas.biz tcp
US 8.8.8.8:53 utbidet-ugeas.biz udp
N/A 127.0.0.1:80 tcp
US 44.208.124.139:80 utbidet-ugeas.biz tcp

Files

\Windows\SysWOW64\sradook-anoab.exe

MD5 9e342dc210b5f2e812ae8ceb6d7d2cc0
SHA1 becd9ccc3cd852779bb7b5d66bffe1408924c6f5
SHA256 a6c5a0caf5181c086963405c8488ce2169adb6f3707d7bcdcad118f2f3dba932
SHA512 ff31cbdef6247dbb110628af903a83dc73b9887f9332b0859c20047841bf7e06d4f8e78c090de6b1b4e765da1b212e1966df54bcd9bc832fe9a0811634d30850

memory/1972-9-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\SysWOW64\eadneahig.dll

MD5 f37b21c00fd81bd93c89ce741a88f183
SHA1 b2796500597c68e2f5638e1101b46eaf32676c1c
SHA256 76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512 252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

C:\Windows\SysWOW64\ouvmutoog-umeas.exe

MD5 b6e74ea4e72e53bf2d26cbc33b73cc5a
SHA1 c7406efc27d93fa9379be8ccac7767530d3d743a
SHA256 538ec69e696bedb56394e00990b95a865b2e024cfd9183c8f46ed7d23d9fed94
SHA512 7577d1b0b4261505c309fc61e05a2df13f7d859cec5cb54d0e17ebbfe5630722ecd5b6aa477ce58d7cfe28355e521a264a8749cc6fcc6b75047e58a0bebeba16

C:\Windows\SysWOW64\uhxoasoap.exe

MD5 460050e7f46fb43afb29112080cb3c05
SHA1 5209beb8788213471e34f116e0a77831ef03d000
SHA256 33d24c308e2bf282da942472d85b82ef89a10b23f27414967d757d59dffb6e87
SHA512 1d5c738cb26238805b45c89fd76c4edafcd9d4c1b72d513e6871fc366624bda777d2b2e4f62acc5b25210352880e460659c4b06604dafc0ac987d9e975844ba6

memory/2424-55-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2484-56-0x0000000000400000-0x0000000000414000-memory.dmp