Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 00:13
Behavioral task
behavioral1
Sample
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
-
Size
325KB
-
MD5
a8ac1f973938ecb9b7832ac95fd68eb0
-
SHA1
fd15b5427c6989e48fa2df1fffd5ac11d47dd05c
-
SHA256
78a3044f9bffa84a69b377fce8d6645371206de8e3231dcbb80dd9094cfca7b2
-
SHA512
adab0ba5067d31937c0e2d1c48690af097e97bd7bb51441119661d4a2ebee3106dbd29e356a194307573b49b21905dd01bdb07c9a0b834c9e74162a03f6d95c7
-
SSDEEP
3072:pMMME7GW5Lxxu6IfozESZRusvPViND/V//nTPw1bhE8Ph4arLXWoqhBzvJFJ/wK2:7G8I6FBcR1nrwzEqhTLOX+
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000800000001611e-8.dat aspack_v212_v242 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ddodiag.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\relog.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SecEdit.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\vssadmin.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\DisplaySwitch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\doskey.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\reg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\RegisterIEPKEYs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\com\MigRegDB.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\compact.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\icsunattend.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shutdown.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\unlodctr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\proquota.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\wininit.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\label.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\fc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\hh.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\makecab.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ReAgentc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\wermgr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Dism\DismHost.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\charmap.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\msfeedssync.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\poqexec.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\shrpubw.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\iexpress.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ocsetup.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\wusa.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\fontview.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\forfiles.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\attrib.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\calc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\replace.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Dism.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\rasautou.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\mshta.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\newdev.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\vlc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jre7\bin\ssvagent.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Microsoft Games\Chess\Chess.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\servicing\GC64\tzupd.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_c33f455aebcd9dbb\bthudtask.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_463f54aa539a0b62\DeviceProperties.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPDCT.EXE a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\ehome\MediaCenterWebLauncher.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Boot\PCAT\memtest.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehtray_31bf3856ad364e35_6.1.7601.17514_none_88ff132e83a8a275\ehtray.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..ce-useractionrecord_31bf3856ad364e35_6.1.7600.16385_none_8ee34c400d95f0ab\psr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidcertstorecheck.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.1.7600.16385_none_901eda10f3ab38d2\McrMgr.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe$ a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\ehome\ehmsas.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1708 a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a8ac1f973938ecb9b7832ac95fd68eb0_NEIKI.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
650KB
MD56679b00cdba89ecfe0377f9582a149d5
SHA1295403a27ee3dac726f995dc0904dadc91730b4b
SHA25676b1927cb496ac14e1c1295e824f445ee07a883c3e684352f484e91236ae9e83
SHA512e9906d34169d6f6e2e77b4c9eaf8557f3c626b996a46a34b1f811b8eb05db99da89ff932d71c7185ce187e4ffce7525460962610ed18d6e541e4a54e221f6e80