Analysis Overview
SHA256
9e942da3cd2a1870a5f5d0a6f9d6d9cc22e07bc709fce94f0474bb1c854a9d6d
Threat Level: Known bad
The file a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 05:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 05:17
Reported
2024-06-14 05:20
Platform
win7-20240611-en
Max time kernel
123s
Max time network
124s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mscaps.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000100054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = ca0031000000000000000000170061353064303132616163306236643661626634626233396333383037303631305f4e65696b69416e616c7974696373008c0008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000610035003000640030003100320061006100630030006200360064003600610062006600340062006200330039006300330038003000370030003600310030005f004e00650069006b00690041006e0061006c007900740069006300730000003e000000 | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2880
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
C:\Windows\SysWOW64\mscaps.exe
"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
Files
\Users\Admin\AppData\Local\Temp\@AE7916.tmp.exe
| MD5 | fde49dd7a1774804d072059910528a8b |
| SHA1 | 1003c6ea0b7cafaef6b269db4f10a3288f780516 |
| SHA256 | e5c44214fc2e81606b6894484de59c3283a6c58ca8d2f87c0fa8d373930895eb |
| SHA512 | 140093719fdd15d75c7d3fe9714e3a7f98a0c210160e95082c93fe3c4a2e209b60e44ceeef096f308b4ba2c070d34a0150f72da5cf01d779af13eb003690b0a7 |
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
| MD5 | d262bba0662a92251adc01de82d15ebb |
| SHA1 | b19f26ad0523d4a2a87255e0b1cfb077693b50b5 |
| SHA256 | c5a2eae223748d9261fa273be0dd4a79e8ff5a9a65ae46d3161725472067b6ff |
| SHA512 | b3980fb641be55a248da0871b33791e4bda2976efd5ef2cc98822ac950646e92497c484a0a20949966e2490829faa0b75c9304d73ed93bc93b2061bef9a979ce |
\Users\Admin\AppData\Roaming\Temp\mydll.dll
| MD5 | 7ff15a4f092cd4a96055ba69f903e3e9 |
| SHA1 | a3d338a38c2b92f95129814973f59446668402a8 |
| SHA256 | 1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627 |
| SHA512 | 4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae |
memory/1652-9-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Se7E46.tmp
| MD5 | be49ee9d1b6da594241ce3b7432c5d64 |
| SHA1 | d81e68b9bf84258af2e6b5595c4f5c8d53b9c901 |
| SHA256 | db66d62796ae12bf459e514f27bb1a0d416d804365f44e8ec53dd760e3f7b8b8 |
| SHA512 | 0c15d8d86e0dfccbcecd50b3dd5906f8f5b7c52511128d01be82b394ccb08ed85a486a101bbb5d992a688d1e62f21fda712daef1bf3a5ecba9aad152e47562f5 |
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
| MD5 | d1073c9b34d1bbd570928734aacff6a5 |
| SHA1 | 78714e24e88d50e0da8da9d303bec65b2ee6d903 |
| SHA256 | b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020 |
| SHA512 | 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f |
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | f11e6ac7ac8a67a38adcbac3712f4d92 |
| SHA1 | ae44150c7ccd79ec23466b61a01f32163612e94f |
| SHA256 | a2e3658b782cad25387888c3150d4d367caa53dc0484199d6ddd4357ab52dc9b |
| SHA512 | bccf1b83ca6855f4fb783fe0d776a440724e3767e389317b003b2ebbc1d163206a598fb45b4f1a8a6f5f6d95706871af6b75fe55314637ace3918cc6506836e9 |
\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
| MD5 | e95760480a8710a64999a7cf2b391664 |
| SHA1 | 0cc178cb2a1d630ebb1f47ecd12282dc3ca038ae |
| SHA256 | ca1a6557e84f4882b9e8409d134606b8d1a5651db265c0c746a3fe3730c8e92e |
| SHA512 | 02fa873ad965c81eddd1d6372948d4de9719d6bb3256a03e70adf7ff4f58dab28ec4ea8c69c18bfed0653c61fd80ad9307ae770800e8452cfe8a25b4d895bd85 |
C:\Users\Admin\AppData\Local\Temp\tmp82B9.tmp
| MD5 | f558c76b0376af9273717fa24d99ebbf |
| SHA1 | f84bcece5c6138b62ef94e9d668cf26178ee14cc |
| SHA256 | 01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a |
| SHA512 | 2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d |
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | aa4139784f4032414191f2c5c7c8b7e7 |
| SHA1 | 5b4d66a0c8aa1f93eb5aa4d739ea4fa346f83765 |
| SHA256 | 50ad75635eded642510d731fd1f7e60ccfa776fb24f8fd741eef920f59693a31 |
| SHA512 | ff02d4bf683ab14df996f38bfb00e17debe9ce829fd38c60c961ebc00272e2be88c971bfc0977d98cf451a23395819037904789d66c7523d9e57f0a555d608d4 |
\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
| MD5 | daac1781c9d22f5743ade0cb41feaebf |
| SHA1 | e2549eeeea42a6892b89d354498fcaa8ffd9cac4 |
| SHA256 | 6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c |
| SHA512 | 190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160 |
memory/684-281-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat
| MD5 | 3ca08f080a7a28416774d80552d4aa08 |
| SHA1 | 0b5f0ba641204b27adac4140fd45dce4390dbf24 |
| SHA256 | 4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0 |
| SHA512 | 0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01 |
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
| MD5 | 75c1467042b38332d1ea0298f29fb592 |
| SHA1 | f92ea770c2ddb04cf0d20914578e4c482328f0f8 |
| SHA256 | 3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373 |
| SHA512 | 5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0 |
C:\Windows\SysWOW64\mscaps.exe
| MD5 | 78d3c8705f8baf7d34e6a6737d1cfa18 |
| SHA1 | 9f09e248a29311dbeefae9d85937b13da042a010 |
| SHA256 | 2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905 |
| SHA512 | 9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609 |
C:\Users\Admin\AppData\Local\Temp\9260.tmp
| MD5 | 37512bcc96b2c0c0cf0ad1ed8cfae5cd |
| SHA1 | edf7f17ce28e1c4c82207cab8ca77f2056ea545c |
| SHA256 | 27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f |
| SHA512 | 6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 05:17
Reported
2024-06-14 05:20
Platform
win10v2004-20240611-en
Max time kernel
121s
Max time network
95s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mscaps.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" | C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscaps.exe | C:\Users\Admin\AppData\Local\Temp\wtmps.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe"
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2312
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
C:\Windows\SysWOW64\mscaps.exe
"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | windowsupdate.microsoft.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\@AE5285.tmp.exe
| MD5 | fde49dd7a1774804d072059910528a8b |
| SHA1 | 1003c6ea0b7cafaef6b269db4f10a3288f780516 |
| SHA256 | e5c44214fc2e81606b6894484de59c3283a6c58ca8d2f87c0fa8d373930895eb |
| SHA512 | 140093719fdd15d75c7d3fe9714e3a7f98a0c210160e95082c93fe3c4a2e209b60e44ceeef096f308b4ba2c070d34a0150f72da5cf01d779af13eb003690b0a7 |
C:\Users\Admin\AppData\Local\Temp\a50d012aac0b6d6abf4bb39c38070610_NeikiAnalytics.exe
| MD5 | d262bba0662a92251adc01de82d15ebb |
| SHA1 | b19f26ad0523d4a2a87255e0b1cfb077693b50b5 |
| SHA256 | c5a2eae223748d9261fa273be0dd4a79e8ff5a9a65ae46d3161725472067b6ff |
| SHA512 | b3980fb641be55a248da0871b33791e4bda2976efd5ef2cc98822ac950646e92497c484a0a20949966e2490829faa0b75c9304d73ed93bc93b2061bef9a979ce |
memory/4708-17-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll
| MD5 | 8d7db101a7211fe3309dc4dc8cf2dd0a |
| SHA1 | 6c2781eadf53b3742d16dab2f164baf813f7ac85 |
| SHA256 | 93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a |
| SHA512 | 8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83 |
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat
| MD5 | d1073c9b34d1bbd570928734aacff6a5 |
| SHA1 | 78714e24e88d50e0da8da9d303bec65b2ee6d903 |
| SHA256 | b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020 |
| SHA512 | 4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f |
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | a49a5e7276c6f584cc81f9386c2f5e85 |
| SHA1 | 04566e97023588d97112375a3dfd3b8b3d2cc124 |
| SHA256 | 12c61da567588ac997c099b93cc1d22d9d6834e0ee30fa59eedbfa855875b6d1 |
| SHA512 | 0dbf61ba47f133622fec68a7223274d30e191af3009a8103b9c41d0c9ac711731e2aa9aa2bb286ff7f77ca9668740145b5f0050522cb09b0afa715ed5120069e |
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
| MD5 | e0a8746f5623f32aea450d88534a8179 |
| SHA1 | 53daa19d23f47f214a1790f9532a1366c9c820e8 |
| SHA256 | b960aa7261ee2c00cfac488f10bcd2bd10f7a4f23bc234609cbecbdb8595fa8e |
| SHA512 | 20e8c8033dc0726ceceb444ba46e2e9c1f90c543af99f4a8e937be7ea726312656a59d921c41fd0ecb5f35f9f00c5677264023b2c399cc1936ce091c7e781f0c |
C:\Users\Admin\AppData\Local\Temp\tmp59D8.tmp
| MD5 | df2c63605573c2398d796370c11cb26c |
| SHA1 | efba97e2184ba3941edb008fcc61d8873b2b1653 |
| SHA256 | 07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8 |
| SHA512 | d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f |
C:\Users\Admin\AppData\Local\Temp\tmp5A08.tmp
| MD5 | 6f90e1169d19dfde14d6f753f06c862b |
| SHA1 | e9bca93c68d7df73d000f4a6e6eb73a343682ac5 |
| SHA256 | 70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc |
| SHA512 | f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3 |
C:\Users\Admin\AppData\Local\Temp\tmp5A18.tmp
| MD5 | f558c76b0376af9273717fa24d99ebbf |
| SHA1 | f84bcece5c6138b62ef94e9d668cf26178ee14cc |
| SHA256 | 01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a |
| SHA512 | 2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d |
C:\Users\Admin\AppData\Local\Temp\tmp5A29.tmp
| MD5 | 02ae22335713a8f6d6adf80bf418202b |
| SHA1 | 4c40c11f43df761b92a5745f85a799db7b389215 |
| SHA256 | ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4 |
| SHA512 | 727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c |
C:\Users\Admin\AppData\Local\Temp\tmp5A2A.tmp
| MD5 | 09203a9741b91f3a9ed01c82dcb8778d |
| SHA1 | 13e6f3fb169cd6aa5e4d450417a7e15665a2e140 |
| SHA256 | 63149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2 |
| SHA512 | 9e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846 |
C:\Users\Admin\AppData\Local\Temp\tmp5A3B.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\tmp5A6B.tmp
| MD5 | 727d249fde8c7eaf5c6edb7e1a66a132 |
| SHA1 | 1edf420c80c5ee1997e4a2c1f42a7be1b259799c |
| SHA256 | a188a969de50b46195088581c04db89ecb3ae129a1d48f92a6f0278b69e12a27 |
| SHA512 | e9837bd462fcdb18ad54acf0982c3fe5e8f1acc6f90f92e632c58ee3df8063cc861655e14477713a4b8febb9f5f79bf069ae2bb788be401af3b2b15692ab621b |
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat
| MD5 | 5c7350118149549c7c01a3eef387f651 |
| SHA1 | c6fb92a957a493878e359c36879ea127938e02b0 |
| SHA256 | 62f6108497b76d7091804e9731397b15e2f31f201686c1224632133b2eb1a2d4 |
| SHA512 | e49173830f010a755d87aaff01b3e3d158550116873d2e5a36d91365109dea64f63e23e28d09c77a4ecc9b294a9c9e6de3b3a9c36bdbeca5a706d8111c095956 |
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
| MD5 | daac1781c9d22f5743ade0cb41feaebf |
| SHA1 | e2549eeeea42a6892b89d354498fcaa8ffd9cac4 |
| SHA256 | 6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c |
| SHA512 | 190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160 |
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat
| MD5 | 3ca08f080a7a28416774d80552d4aa08 |
| SHA1 | 0b5f0ba641204b27adac4140fd45dce4390dbf24 |
| SHA256 | 4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0 |
| SHA512 | 0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01 |
C:\Users\Admin\AppData\Local\Temp\wtmps.exe
| MD5 | 75c1467042b38332d1ea0298f29fb592 |
| SHA1 | f92ea770c2ddb04cf0d20914578e4c482328f0f8 |
| SHA256 | 3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373 |
| SHA512 | 5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0 |
C:\Windows\SysWOW64\mscaps.exe
| MD5 | 78d3c8705f8baf7d34e6a6737d1cfa18 |
| SHA1 | 9f09e248a29311dbeefae9d85937b13da042a010 |
| SHA256 | 2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905 |
| SHA512 | 9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609 |
C:\Users\Admin\AppData\Local\Temp\67D2.tmp
| MD5 | 37512bcc96b2c0c0cf0ad1ed8cfae5cd |
| SHA1 | edf7f17ce28e1c4c82207cab8ca77f2056ea545c |
| SHA256 | 27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f |
| SHA512 | 6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641 |