Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 18:47
Behavioral task
behavioral1
Sample
0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
General
-
Target
0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe
-
Size
255KB
-
MD5
0e5276226b7f0b1c0f8234a9838b0480
-
SHA1
9adfe2cfa57e6cc1b419e3db1767fcc1b4b29782
-
SHA256
08085a4a594ffbbc757b4b83e1ee4810d813d1e78189b08c10f25d33c49c5045
-
SHA512
fcdc8d36d86b0e95f1e7a6678b0f3b162581e6f2cfbfc1a06a661721c61b9252c8ddacf2727b88b51e2ed700b7dea0c242026ecc4a3954b008720a1d0847aa3a
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rxrhhojrva.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rxrhhojrva.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rxrhhojrva.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rxrhhojrva.exe -
Executes dropped EXE 5 IoCs
pid Process 2068 rxrhhojrva.exe 2572 mjwteuireyshjla.exe 2632 zeoylhsg.exe 2624 jvxoabgvgiowf.exe 2448 zeoylhsg.exe -
Loads dropped DLL 5 IoCs
pid Process 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2068 rxrhhojrva.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2988-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0037000000014712-5.dat upx behavioral1/files/0x000d000000012350-17.dat upx behavioral1/memory/2988-18-0x0000000003370000-0x0000000003410000-memory.dmp upx behavioral1/files/0x0037000000014712-22.dat upx behavioral1/files/0x0008000000014a9a-27.dat upx behavioral1/memory/2632-31-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000014b18-32.dat upx behavioral1/memory/2624-40-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2448-44-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2988-46-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000600000001621e-73.dat upx behavioral1/memory/2068-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2448-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2632-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2632-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2448-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2632-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2632-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2448-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2572-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2068-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rxrhhojrva.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wjlkyxak = "rxrhhojrva.exe" mjwteuireyshjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nhhpeupj = "mjwteuireyshjla.exe" mjwteuireyshjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jvxoabgvgiowf.exe" mjwteuireyshjla.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: zeoylhsg.exe File opened (read-only) \??\v: zeoylhsg.exe File opened (read-only) \??\u: rxrhhojrva.exe File opened (read-only) \??\j: zeoylhsg.exe File opened (read-only) \??\m: rxrhhojrva.exe File opened (read-only) \??\q: rxrhhojrva.exe File opened (read-only) \??\y: rxrhhojrva.exe File opened (read-only) \??\e: zeoylhsg.exe File opened (read-only) \??\r: zeoylhsg.exe File opened (read-only) \??\h: zeoylhsg.exe File opened (read-only) \??\t: zeoylhsg.exe File opened (read-only) \??\g: rxrhhojrva.exe File opened (read-only) \??\w: rxrhhojrva.exe File opened (read-only) \??\y: zeoylhsg.exe File opened (read-only) \??\p: rxrhhojrva.exe File opened (read-only) \??\s: rxrhhojrva.exe File opened (read-only) \??\v: rxrhhojrva.exe File opened (read-only) \??\m: zeoylhsg.exe File opened (read-only) \??\e: zeoylhsg.exe File opened (read-only) \??\j: rxrhhojrva.exe File opened (read-only) \??\o: rxrhhojrva.exe File opened (read-only) \??\x: zeoylhsg.exe File opened (read-only) \??\a: zeoylhsg.exe File opened (read-only) \??\i: rxrhhojrva.exe File opened (read-only) \??\z: rxrhhojrva.exe File opened (read-only) \??\l: zeoylhsg.exe File opened (read-only) \??\o: zeoylhsg.exe File opened (read-only) \??\o: zeoylhsg.exe File opened (read-only) \??\v: zeoylhsg.exe File opened (read-only) \??\g: zeoylhsg.exe File opened (read-only) \??\u: zeoylhsg.exe File opened (read-only) \??\k: rxrhhojrva.exe File opened (read-only) \??\a: zeoylhsg.exe File opened (read-only) \??\n: zeoylhsg.exe File opened (read-only) \??\p: zeoylhsg.exe File opened (read-only) \??\i: zeoylhsg.exe File opened (read-only) \??\y: zeoylhsg.exe File opened (read-only) \??\i: zeoylhsg.exe File opened (read-only) \??\j: zeoylhsg.exe File opened (read-only) \??\m: zeoylhsg.exe File opened (read-only) \??\z: zeoylhsg.exe File opened (read-only) \??\q: zeoylhsg.exe File opened (read-only) \??\s: zeoylhsg.exe File opened (read-only) \??\b: rxrhhojrva.exe File opened (read-only) \??\x: rxrhhojrva.exe File opened (read-only) \??\h: zeoylhsg.exe File opened (read-only) \??\t: zeoylhsg.exe File opened (read-only) \??\u: zeoylhsg.exe File opened (read-only) \??\b: zeoylhsg.exe File opened (read-only) \??\k: zeoylhsg.exe File opened (read-only) \??\p: zeoylhsg.exe File opened (read-only) \??\w: zeoylhsg.exe File opened (read-only) \??\k: zeoylhsg.exe File opened (read-only) \??\r: zeoylhsg.exe File opened (read-only) \??\a: rxrhhojrva.exe File opened (read-only) \??\l: rxrhhojrva.exe File opened (read-only) \??\g: zeoylhsg.exe File opened (read-only) \??\s: zeoylhsg.exe File opened (read-only) \??\w: zeoylhsg.exe File opened (read-only) \??\l: zeoylhsg.exe File opened (read-only) \??\q: zeoylhsg.exe File opened (read-only) \??\x: zeoylhsg.exe File opened (read-only) \??\n: rxrhhojrva.exe File opened (read-only) \??\z: zeoylhsg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rxrhhojrva.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rxrhhojrva.exe -
AutoIT Executable 53 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2632-31-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2988-46-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2448-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2632-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2632-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2448-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2632-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2632-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2448-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2572-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2068-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jvxoabgvgiowf.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File opened for modification C:\Windows\SysWOW64\rxrhhojrva.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File opened for modification C:\Windows\SysWOW64\mjwteuireyshjla.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File created C:\Windows\SysWOW64\zeoylhsg.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File opened for modification C:\Windows\SysWOW64\zeoylhsg.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File created C:\Windows\SysWOW64\jvxoabgvgiowf.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File created C:\Windows\SysWOW64\rxrhhojrva.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File created C:\Windows\SysWOW64\mjwteuireyshjla.exe 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rxrhhojrva.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe zeoylhsg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe zeoylhsg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal zeoylhsg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal zeoylhsg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal zeoylhsg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe zeoylhsg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal zeoylhsg.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rxrhhojrva.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rxrhhojrva.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rxrhhojrva.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rxrhhojrva.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6791593DBC2B8C17FE1EC9E34BC" 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABEFE6AF2E283753A4486EB3E93B08A03FD42120348E1C442EC08D2" 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2572 mjwteuireyshjla.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2632 zeoylhsg.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2068 rxrhhojrva.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2572 mjwteuireyshjla.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2624 jvxoabgvgiowf.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe 2448 zeoylhsg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2540 WINWORD.EXE 2540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2068 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 28 PID 2988 wrote to memory of 2068 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 28 PID 2988 wrote to memory of 2068 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 28 PID 2988 wrote to memory of 2068 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 28 PID 2988 wrote to memory of 2572 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 29 PID 2988 wrote to memory of 2572 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 29 PID 2988 wrote to memory of 2572 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 29 PID 2988 wrote to memory of 2572 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 29 PID 2988 wrote to memory of 2632 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 30 PID 2988 wrote to memory of 2632 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 30 PID 2988 wrote to memory of 2632 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 30 PID 2988 wrote to memory of 2632 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 30 PID 2988 wrote to memory of 2624 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 31 PID 2988 wrote to memory of 2624 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 31 PID 2988 wrote to memory of 2624 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 31 PID 2988 wrote to memory of 2624 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 31 PID 2068 wrote to memory of 2448 2068 rxrhhojrva.exe 32 PID 2068 wrote to memory of 2448 2068 rxrhhojrva.exe 32 PID 2068 wrote to memory of 2448 2068 rxrhhojrva.exe 32 PID 2068 wrote to memory of 2448 2068 rxrhhojrva.exe 32 PID 2988 wrote to memory of 2540 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 33 PID 2988 wrote to memory of 2540 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 33 PID 2988 wrote to memory of 2540 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 33 PID 2988 wrote to memory of 2540 2988 0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe 33 PID 2540 wrote to memory of 1512 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1512 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1512 2540 WINWORD.EXE 36 PID 2540 wrote to memory of 1512 2540 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\0e5276226b7f0b1c0f8234a9838b0480_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rxrhhojrva.exerxrhhojrva.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\zeoylhsg.exeC:\Windows\system32\zeoylhsg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448
-
-
-
C:\Windows\SysWOW64\mjwteuireyshjla.exemjwteuireyshjla.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2572
-
-
C:\Windows\SysWOW64\zeoylhsg.exezeoylhsg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632
-
-
C:\Windows\SysWOW64\jvxoabgvgiowf.exejvxoabgvgiowf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1512
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5d73d0ebc217027268ef14e575e4e2413
SHA19dfe9236ee0cf23627469f3b0ba2b8a6295580be
SHA256aaa18d3ee735e3705b06f45f4a52d9c22630d17a172db56d2b9c425b92f13f81
SHA51219bd03388ee202c27385d1414a55521e99301040019b0aeb66422d08ccea21ea1445215581940489653aa130c215cd36f2a500e1f22fdfd6045271891fb1e0ca
-
Filesize
20KB
MD50a74b58e83bf74832863c2b1478d8a99
SHA1aa9744931e08d4a61b4b45edb35a62f2af550c43
SHA256bb6241a6474d22bdce53db4ff8136e6626699f370f5352ad3df2bdec7b60f5ef
SHA5124413eeaeec0b23736497d21cc2582ab5fc955affbbef3229b3560e329410a0f5accf7c0cdccffc884ea3ba56f4ce6d7be5d26d4bb26e2d0f1f1d01bd9b404355
-
Filesize
255KB
MD50e5276226b7f0b1c0f8234a9838b0480
SHA19adfe2cfa57e6cc1b419e3db1767fcc1b4b29782
SHA25608085a4a594ffbbc757b4b83e1ee4810d813d1e78189b08c10f25d33c49c5045
SHA512fcdc8d36d86b0e95f1e7a6678b0f3b162581e6f2cfbfc1a06a661721c61b9252c8ddacf2727b88b51e2ed700b7dea0c242026ecc4a3954b008720a1d0847aa3a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5dab67863ee99047ef6da883018d4113c
SHA1f4aabbd4cc2e83e03490cd487dbddd426c994906
SHA256942c70ebb6d315ef87f693e43ac6830e03ded9323e6266d86e73ebd4e3cb53cd
SHA5122ad42047179119eaf032bcb47698f3c6966123f411c55e172438920b9cf6c98fed9b0b8936b020f56c62bf4d03e5b1777657e2e2aa7887d0c9e689beb1ba14a2
-
Filesize
255KB
MD5a2c4d3d482b4b1237460c90b8509b8fc
SHA187b3a9cff6f154acab91a673b11e78c0c0d474a6
SHA25658ad0699e49f21a630f708e3e8c2ebcf96518f4a796c7e18930c323fc3ce4177
SHA5120974fff0e81bbc2945fbc5b47579c8e74aecce03cc75794016a15695d6b9b96b9e678ae73b283b0b45502ec27eb88a2c23184d0aacab4d55bc4e3bbd92918ce4
-
Filesize
255KB
MD5470a44fb00a6211795f3ab5410c1dfcb
SHA1fdd651408a412ddaac67bb8954900904f08b68ca
SHA256f78ba8463163cd087f202d6b8bd34dc36e96693010582146920d7a376635cac8
SHA512883ad701c9c113684f965f561ed0cf7a148530c2740be0fc2886f40c0381e4dd714b5ffe4817cd2ddbd520dbd387cddff0fbc4528ea6b46c014cd5731cf1d4c4
-
Filesize
255KB
MD56fb0efe0a2f66a0c8016a3a588115b81
SHA1939c96dafb565c86761d15b0280a341d62c722dc
SHA2560724e4b865f8c4a9ec404ed50e20519f42addb6e7dd15d1de1b15eb0ae261ad8
SHA512002ad8387de831dd14fb71334a4d9f88f56445c2385d1bb1e425fe29ca1ae4760d869ac491f53a34884914f09c1f9575df59e19982078e07462b5157e56d2e61