ce7296b33e2de1a6a0a76a14f0c1ad16c3b811764197f4677e1b2f8d169b5374

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Size

80KB
MD5

c4d259833cc9e192e355c281ed6b9720
SHA1

3a397aff1b3742097046e516ba43f17843036850
SHA256

ce7296b33e2de1a6a0a76a14f0c1ad16c3b811764197f4677e1b2f8d169b5374
SHA512

3104276a6fc74fa5627dfa06bab9cbea37a3c763add187cea5c82d9a3c4250158185e4d5ec1bdf98c6716b4a22a8162a5467cfe12b171677f399b5046fee7a54
SSDEEP

1536:5vvMoORizUPliPsm/gL16ZpQGh6MgHN+PhuLGR/11:RvxOMUMPsgQvTMY+PhGGR/11

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	m4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\j6275522.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\o4275527.exe\""	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	m4623.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qm4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	qm4623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	m4623.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\N4353c = "\"C:\\Windows\\_default27552.pif\""	qm4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	m4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\f1464Adm = "\"C:\\Users\\Admin\\AppData\\Local\\dv692700x\\yesbron.com\""	smss.exe

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	m4623.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qm4623.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	csrss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 7 IoCs

pid	Process
2768	smss.exe
1004	winlogon.exe
2364	services.exe
1440	csrss.exe
928	lsass.exe
3920	qm4623.exe
384	m4623.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	m4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	m4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N4353c = "\"C:\\Windows\\j6275522.exe\""	qm4623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1464Adm = "\"C:\\Windows\\system32\\s4827\\zh59927084y.exe\""	qm4623.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\s4827\smss.exe	services.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\s4827	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\domlist.txt	lsass.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	csrss.exe
File opened for modification	C:\Windows\SysWOW64\s4827	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\s4827\m4623.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\domlist.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\s4827	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exemsatr.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File created	C:\Windows\SysWOW64\s4827\Spread.Mail.Bro\[email protected]	services.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	smss.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File created	C:\Windows\SysWOW64\s4827\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\csrss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	qm4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\c.bron.tok.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\s4827	services.exe
File opened for modification	C:\Windows\SysWOW64\s4827	m4623.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File created	C:\Windows\SysWOW64\c_27552k.com	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\s4827\smss.exe	m4623.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	qm4623.exe
File created	C:\Windows\SysWOW64\s4827\zh59927084y.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\s4827\zh59927084y.exe	lsass.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	m4623.exe
File created	C:\Windows\SysWOW64\s4827\smss.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\s4827\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\c_27552k.com	csrss.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\o4275527.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\j6275522.exe	csrss.exe
File opened for modification	C:\Windows\o4275527.exe	lsass.exe
File opened for modification	C:\Windows\j6275522.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File created	C:\Windows\j6275522.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\j6275522.exe	services.exe
File opened for modification	C:\Windows\_default27552.pif	lsass.exe
File created	C:\Windows\o4275527.exe	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\_default27552.pif	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File created	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File opened for modification	C:\Windows\j6275522.exe	lsass.exe
File opened for modification	C:\Windows\o4275527.exe	m4623.exe
File opened for modification	C:\Windows\_default27552.pif	m4623.exe
File opened for modification	C:\Windows\o4275527.exe	services.exe
File opened for modification	C:\Windows\_default27552.pif	services.exe
File opened for modification	C:\Windows\j6275522.exe	m4623.exe
File opened for modification	C:\Windows\o4275527.exe	qm4623.exe
File created	C:\Windows\_default27552.pif	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
File opened for modification	C:\Windows\j6275522.exe	smss.exe
File opened for modification	C:\Windows\j6275522.exe	winlogon.exe
File opened for modification	C:\Windows\j6275522.exe	qm4623.exe
File opened for modification	C:\Windows\o4275527.exe	csrss.exe
File opened for modification	C:\Windows\_default27552.pif	csrss.exe
File opened for modification	C:\Windows\o4275527.exe	smss.exe
File opened for modification	C:\Windows\_default27552.pif	winlogon.exe
File opened for modification	C:\Windows\Ad10218\qm4623.exe	winlogon.exe
File created	C:\Windows\_default27552.pif	qm4623.exe
File created	C:\Windows\o4275527.exe	m4623.exe
File opened for modification	C:\Windows\_default27552.pif	smss.exe
File opened for modification	C:\Windows\o4275527.exe	winlogon.exe
File opened for modification	C:\Windows\Ad10218	winlogon.exe
File opened for modification	C:\Windows\_default27552.pif	qm4623.exe
File created	C:\Windows\_default27552.pif	m4623.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
3980	net.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe
1004	winlogon.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 2768	3632	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe	86
PID 3632 wrote to memory of 2768	3632	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe	86
PID 3632 wrote to memory of 2768	3632	c4d259833cc9e192e355c281ed6b9720_NEIKI.exe	86
PID 2768 wrote to memory of 1004	2768	smss.exe	92
PID 2768 wrote to memory of 1004	2768	smss.exe	92
PID 2768 wrote to memory of 1004	2768	smss.exe	92
PID 1004 wrote to memory of 2364	1004	winlogon.exe	97
PID 1004 wrote to memory of 2364	1004	winlogon.exe	97
PID 1004 wrote to memory of 2364	1004	winlogon.exe	97
PID 1004 wrote to memory of 1440	1004	winlogon.exe	99
PID 1004 wrote to memory of 1440	1004	winlogon.exe	99
PID 1004 wrote to memory of 1440	1004	winlogon.exe	99
PID 1004 wrote to memory of 928	1004	winlogon.exe	101
PID 1004 wrote to memory of 928	1004	winlogon.exe	101
PID 1004 wrote to memory of 928	1004	winlogon.exe	101
PID 1004 wrote to memory of 3920	1004	winlogon.exe	103
PID 1004 wrote to memory of 3920	1004	winlogon.exe	103
PID 1004 wrote to memory of 3920	1004	winlogon.exe	103
PID 1004 wrote to memory of 384	1004	winlogon.exe	105
PID 1004 wrote to memory of 384	1004	winlogon.exe	105
PID 1004 wrote to memory of 384	1004	winlogon.exe	105
PID 1004 wrote to memory of 1488	1004	winlogon.exe	107
PID 1004 wrote to memory of 1488	1004	winlogon.exe	107
PID 1004 wrote to memory of 1488	1004	winlogon.exe	107
PID 1004 wrote to memory of 4728	1004	winlogon.exe	110
PID 1004 wrote to memory of 4728	1004	winlogon.exe	110
PID 1004 wrote to memory of 4728	1004	winlogon.exe	110
PID 1004 wrote to memory of 1804	1004	winlogon.exe	112
PID 1004 wrote to memory of 1804	1004	winlogon.exe	112
PID 1004 wrote to memory of 1804	1004	winlogon.exe	112
PID 928 wrote to memory of 1956	928	lsass.exe	118
PID 928 wrote to memory of 1956	928	lsass.exe	118
PID 928 wrote to memory of 1956	928	lsass.exe	118
PID 1956 wrote to memory of 3980	1956	cmd.exe	120
PID 1956 wrote to memory of 3980	1956	cmd.exe	120
PID 1956 wrote to memory of 3980	1956	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\c4d259833cc9e192e355c281ed6b9720_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\c4d259833cc9e192e355c281ed6b9720_NEIKI.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\SysWOW64\s4827\smss.exe
  "C:\Windows\system32\s4827\smss.exe" ~Brontok~Log~
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\s4827\winlogon.exe
    "C:\Windows\system32\s4827\winlogon.exe" ~Brontok~Is~The~Best~
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\SysWOW64\s4827\services.exe
      "C:\Windows\system32\s4827\services.exe" ~Brontok~Serv~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2364
  - - C:\Windows\SysWOW64\s4827\csrss.exe
      "C:\Windows\system32\s4827\csrss.exe" ~Brontok~SpreadMail~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:1440
  - - C:\Windows\SysWOW64\s4827\lsass.exe
      "C:\Windows\system32\s4827\lsass.exe" ~Brontok~Network~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c net view /domain > "C:\Windows\system32\s4827\domlist.txt"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\net.exe
        
        net view /domain
        6⤵
        Discovers systems in the same network
        
        PID:3980
  - - C:\Windows\Ad10218\qm4623.exe
      "C:\Windows\Ad10218\qm4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:3920
  - - C:\Windows\SysWOW64\s4827\m4623.exe
      "C:\Windows\system32\s4827\m4623.exe" ~Brontok~Back~Log~
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      PID:384
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" /delete /y
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\at.exe
      "C:\Windows\System32\at.exe" 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Local\jalak-93927015-bali.com"
      4⤵
      PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Ad10218\qm4623.exe

Filesize
80KB

MD5
1ce42d1a59a4570d1225bd80432e137f

SHA1
4bc0de9d538464eff084c8e65264e6c6b8a06143

SHA256
a4f785dff951e4978f122992ec4b86201746de755dcec4deadd7393e73e78235

SHA512
5462074e58f90929f481e41932adb16546b5a917d9ef241e3bfd4a9bf9ebf460fc470676f03bcdd9c206d3ee0a80e461d29e35e55fb9642979f5d557b155dc27

Download Submit
C:\Windows\SysWOW64\c_27552k.com

Filesize
80KB

MD5
c4d259833cc9e192e355c281ed6b9720

SHA1
3a397aff1b3742097046e516ba43f17843036850

SHA256
ce7296b33e2de1a6a0a76a14f0c1ad16c3b811764197f4677e1b2f8d169b5374

SHA512
3104276a6fc74fa5627dfa06bab9cbea37a3c763add187cea5c82d9a3c4250158185e4d5ec1bdf98c6716b4a22a8162a5467cfe12b171677f399b5046fee7a54

Download Submit
C:\Windows\SysWOW64\s4827\lsass.exe

Filesize
80KB

MD5
ab593cc22a80b1859cee5a59d3b3e92e

SHA1
fef567c8cfa39a91094dd9f316e93fe721fec2d5

SHA256
cc0cccd8cd581baa86565cff3fbe45c370ef3a58acb45209e5d1680ee8d4e597

SHA512
7ecf8307774c0d72edbf4ce20647f46fa474129b9685b671078c8f56ee09a0d8806508aad0773a4974fc358e8d666195dd7756e844f436535e8c45550fab5a1a

Download Submit
C:\Windows\SysWOW64\s4827\m4623.exe

Filesize
80KB

MD5
7d2c998edb9d07c9a3653c5f619c8471

SHA1
176306d82f01ee3e6b09917dac0666417f984dac

SHA256
1bb6fc30668241aac7a78c396a32c3f7c55863e0271d667020cae460e1c7b79c

SHA512
6f842c6ad7d57efc0858133614f0e545125ae7e9bc9111b712062336ad36dca079899fea8e780ddff9e43ba6ffa9181d4934cda26cc0292c07fb78e5ee8fa72b

Download Submit
C:\Windows\SysWOW64\s4827\winlogon.exe

Filesize
80KB

MD5
dc28fe979101da58701a7e330b55312e

SHA1
30a8c5d46889e0c23dc228982dc7588e44cb3f88

SHA256
fbb965556b7c653e099c2ca32a2e4024873d76ead83373fe9d01aa1cd21ab08f

SHA512
63a86a462e59a5a4b00b9f4484d015abf8efdb61067f39039f8290d2298d49458c289dce378551fe1d825a3b084ece8489045cd3164b9a42de18ac9540947a01

Download Submit
memory/384-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/928-146-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1004-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3632-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3920-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download