Analysis Overview
SHA256
116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226
Threat Level: Known bad
The file 116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Adds policy Run key to start application
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 21:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 21:19
Reported
2024-06-26 21:22
Platform
win10v2004-20240508-en
Max time kernel
122s
Max time network
96s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Windows\SysWOW64\REG.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 235a7cf05fdbf8e180fd10a026250010 |
| SHA1 | 4fc1e5466ed9f84cb177e51765f36a849a828f6d |
| SHA256 | 228fd3806c8bf9f6c017f61f48dca787844a8781ecaf69bd2770cd67b7bf39f7 |
| SHA512 | dd62a108df38cd542db4d2dca4654e7b3f2a6e5aabc17e61063b8b03f6805c9fbf33656fcbb0c4cabbc36f6450d56f2fc9d4978b76f9a1333c4983ad50dd210b |
C:\Windows\hosts.exe
| MD5 | 63974865ff2681c0eabaf0993bce6445 |
| SHA1 | 5744993b660e9f482fee520e044d4d04bb1fcd75 |
| SHA256 | b9a0a44aa5d7f6f34c6649e55ecc7815843942a7ee51a5e6d0154e899a7adc5d |
| SHA512 | d9593305e83f3e13218f87d22cdd8edef044362774399b5e3e568a3dc78480247d0a5f14114bb386a75ba5db5a58fe7468cedd8d6ff3005dc5e074859314eac8 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | 1b97fc0bf80f44c04514817b1c7449e7 |
| SHA1 | 1b32070bd87946ce42e7c3e49a47e282b2622852 |
| SHA256 | e756c1e489a198dd4dd1536efb045f4a14054e7902931f6af0cf13343f60cb4c |
| SHA512 | be89f25cf5ba8635dda55c20c249233c68a488d9a76f73f4a259dc994c26938b58a57b67f16d6ce477213b27f19bdc3ca6e43443925fa218f58418e128eb7fc2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 21:19
Reported
2024-06-26 21:22
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\windows\hosts.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\windows\hosts.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SCFGBRBT = "W_X_C.bat" | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Windows\SysWOW64\REG.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Windows\SysWOW64\REG.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\windows\hosts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\windows\W_X_C.vbs | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File created | \??\c:\windows\W_X_C.bat | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| File opened for modification | C:\Windows\hosts.exe | C:\windows\hosts.exe | N/A |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\REG.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avscan.exe | N/A |
| N/A | N/A | C:\windows\hosts.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\116188f9ee4c70a7992b4945e85e7b1fb9bf1708b0128aacdc0d533cb0ffc226_NeikiAnalytics.exe"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Users\Admin\AppData\Local\Temp\avscan.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\windows\W_X_C.bat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\windows\hosts.exe
C:\windows\hosts.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
C:\Windows\SysWOW64\REG.exe
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Network
Files
\Users\Admin\AppData\Local\Temp\avscan.exe
| MD5 | 4b3e2636686e61a13fec3d0316334dae |
| SHA1 | 97a8ccc15223f35ce6f60f9d365076795f6bcdab |
| SHA256 | 18b5b07188152b7e7149cbf105334a64b08071aa620184395d5b119ef2a2cd09 |
| SHA512 | 9fde206dc34971ca76b076a0afbbe58b349fc74ad4bae1512025590229988d64c8281e9876435148e379c0221200dd72c021c02151d96bd7efc522087c0b967c |
C:\Windows\hosts.exe
| MD5 | 293394ad07858dfaf781659d8c4f14be |
| SHA1 | 46d4a2a7108b1ce1bb91bb34d3e9fe2668dc116b |
| SHA256 | ca5e52ba2cb916e2a72972c912293813cec277ed134eb6d1fdbd9512fcffce34 |
| SHA512 | 7a9bea0e9e45ee7a7aca0c0e01bfcd40d5c074484c77741e1975910ff5ca9fd8a72364546979aac310e6c4a67a8fb73e5ca3a174d949cacf9f7b05001fc7b221 |
\??\c:\windows\W_X_C.bat
| MD5 | 4db9f8b6175722b62ececeeeba1ce307 |
| SHA1 | 3b3ba8414706e72a6fa19e884a97b87609e11e47 |
| SHA256 | d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78 |
| SHA512 | 1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b |
C:\Windows\W_X_C.vbs
| MD5 | 213eeee0bf55b5002060609a41f54dda |
| SHA1 | e4dcd3878c2ac69345e22c405dfe1035b6817dcd |
| SHA256 | 84e5623c8426cf9f7501e1fb0f83c4c3b1d55b56ea0502ef304fb711c84d42f2 |
| SHA512 | 5ce9e9e476998b84805d76f45fcc1422f777061f7338c01b4f4cae71c0d0265b6fa55dfffe2eb5c37bc796b9ae6455bcb6a992e43add400bbb75f5056e311c44 |
memory/2592-60-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2592-59-0x0000000000270000-0x0000000000280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 7671d3e8940305e96cad2c4ea9b61f0f |
| SHA1 | cbeae54174b41e35a6e711c4b014479d63f7e9ba |
| SHA256 | ae830846ce6cbdb6d68cb4432eccaa0db2893a582606d87948d43b329aacd89b |
| SHA512 | 50c1789ef28ab5da5c5603fbd1d627a4fa4a7eaa070b1f9cab3a6ecbd4ee0dedbba493f0c4d9127022549d3205bb649dec5928eae5cb581102b35ec96b328126 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 5f217d2815b075362da4483c942d8df3 |
| SHA1 | fdacd36faab4b43c48fe84d33bf772b4d28fa9c7 |
| SHA256 | ad615e54b6440a8679eb13cf88db7e370ce34c9ac6132570f5eee3a19823f825 |
| SHA512 | 6b75eff2dd2df4facb0eac84bd0d119097e905592ce155b6975a10be86ed00da38f211c4dd69d4c856611048e260d182f4ae4e1dc98d525b6cc9c6d2df7304b7 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | c7ab8442761528dd4dcbbbf0d6f59823 |
| SHA1 | f8c0e4599851b84f8ec9df677800f5609d811142 |
| SHA256 | a9d46091c4bc8c39e34484536986eb1549d69fd94ff0f9bb955f3fe160ee75bc |
| SHA512 | 674570c79e8b48e24c1f991ba341abd06b47c32d76485a8678cf230afdf32fb10d5c877ccb196ee7dc295e0f9d0f9c47049a74a1c974b65f40265b8108d9fe26 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | c42e232bd1cb2c4ff51bb58216c9e4e9 |
| SHA1 | 6da52b20873453d936e44ecc544f5485b5be25d9 |
| SHA256 | 699a1538b408cf204b0a504fc63dcfabb6e6a5b78e954b84b640b8d9f566baff |
| SHA512 | 7d59c15a455826ee7a96eb1fbd1136a9f9f69f57942a891943a3f250a3458f1df0726cc24d1eb57a1c3be974383c4eb9c32c334844d0fd891bdf50df7003cf61 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | a8b9850e60f66350788f7d42ac73fdee |
| SHA1 | d354e630a6324e8385c690c3735b5d3fd3bdd550 |
| SHA256 | ea7387ec25fe8318f5aa8126d32615bc093ea0060fca6ded042106f98853809d |
| SHA512 | 1c2547e8da376765afcc5d8d6332c3e4c7121e58fd72b8829890358a38627b0c01dfc43a70231c18e3040dc78dbd71ff8e81e1551b9dca27138795a07a006232 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 09f00f2ac97d9a188c478b0b1dfd6094 |
| SHA1 | 6956914cbdfe4ad56306af08d063fba6be211fad |
| SHA256 | b1b455ab79700039721a023fbe5ca631fcf582410c3de5aa48bce2d548d33ec8 |
| SHA512 | c8ddc3ca94ece619505277e18be4711b650250cd0a708990dd3f5728553305adf005afafbae9971457713529422b9c5a8fc4874a2adbf0f58e3f1bbbffa2b9d3 |
C:\Users\Admin\AppData\Local\Temp\Admin.bmp
| MD5 | 99a6007dbc6b6fc316b971f271d70011 |
| SHA1 | 4a1dac7174b603e3c2e7b6f31a0eb449eaef0207 |
| SHA256 | 799024d27756a17905aef7303336c58850b95f868c3de92abe0d7653951ae65e |
| SHA512 | 26d5f3b00f8618585c364a99fc95012c394cd981931994c05cb0fa44e344910f44c4bbdff1f4c30c9c41dda72c09de582248a439d6fe5a6ad188313f47514083 |