6e76bbc522fbb7e991da192ba9475d48a7072920aff8e226bb9461ef878f3e8f

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
Size

170KB
MD5

f9fdd70504ef8f1f6cbdbd1efc9ec930
SHA1

50fff9dae8b12dc9ecae86884c7d25042d0537af
SHA256

6e76bbc522fbb7e991da192ba9475d48a7072920aff8e226bb9461ef878f3e8f
SHA512

7cf709165eddb7fa1b3c8f89323d7d190fe9a8d7860bfff469a80947f4b1f5df4ddc6b9ac0cb2e4a23b2af07e96fbbbfedecb48f2af73e20305c8a82c3ca30d3
SSDEEP

3072:wCcKpzOpm3uKQCDWeyDKVPy7THK4WZZzUR9Lr0lQbfSDADeak7dJHB/AKGu:h7zOSuccuVqfp2+S6SsQLH5AKN

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\\IXG1Q7W.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00080000000233c0-147.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 5 IoCs

pid	Process
384	service.exe
3124	smss.exe
2812	system.exe
5044	winlogon.exe
4400	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
2812	system.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000233c0-147.dat	upx
behavioral2/memory/2812-326-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sEK1V4D0 = "C:\\Windows\\system32\\KED7K3FGLU5P5O.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0Q7WLU = "C:\\Windows\\YDN1V4D.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\V:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\QPS2Y0L.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\SysWOW64\CRS2V3I	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\YDN1V4D.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File created	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\GLU5P5O.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe	lsass.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\GLU5P5O.exe	service.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\YDN1V4D.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\YDN1V4D.exe	system.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File opened for modification	C:\Windows\YDN1V4D.exe	lsass.exe
File opened for modification	C:\Windows\GLU5P5O.exe	lsass.exe
File opened for modification	C:\Windows\YDN1V4D.exe	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com	lsass.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe	winlogon.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe	system.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe	service.exe
File opened for modification	C:\Windows\moonlight.dll	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\GLU5P5O.exe	smss.exe
File opened for modification	C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2812	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
384	service.exe
3124	smss.exe
5044	winlogon.exe
2812	system.exe
4400	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 384	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	78
PID 4648 wrote to memory of 384	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	78
PID 4648 wrote to memory of 384	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	78
PID 4648 wrote to memory of 3124	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	79
PID 4648 wrote to memory of 3124	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	79
PID 4648 wrote to memory of 3124	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	79
PID 4648 wrote to memory of 2812	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	80
PID 4648 wrote to memory of 2812	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	80
PID 4648 wrote to memory of 2812	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	80
PID 4648 wrote to memory of 5044	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	81
PID 4648 wrote to memory of 5044	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	81
PID 4648 wrote to memory of 5044	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	81
PID 4648 wrote to memory of 4400	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	82
PID 4648 wrote to memory of 4400	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	82
PID 4648 wrote to memory of 4400	4648	f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe	82

C:\Users\Admin\AppData\Local\Temp\f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f9fdd70504ef8f1f6cbdbd1efc9ec930_NEIKI.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:384
- C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3124
- C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5044
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GLU5P5O.exe

Filesize
170KB

MD5
e36d710f7252d626ead227800bccf284

SHA1
5244484506c6963fe2860ee7b6665fc3a3315929

SHA256
f4a79c8294717d0abae8885ffb52a8bdeaf9576c2aeb4e617e9e9b188ec6e9e3

SHA512
40b18157be6ddaf7bd7349b93d47f6d452ab2849481d32294fc2d78f029952d51e7b12b877accd042561435bbdf516c03e285c651889b0eb5cd41b456d3ce033

Download Submit
C:\Windows\SysWOW64\CRS2V3I\KED7K3F.cmd

Filesize
170KB

MD5
81535227c094c4093b6c57b967de6da3

SHA1
4c706057213190900b1600ec237ec8b0935c9d1e

SHA256
a21393ad7ebdb78c8a46059362ead3f6c888e4aded474b61255120cb8b89d79d

SHA512
48507b209daac5c429dc145d808bb34498b4e418dc9b7fa31f92241ac9acac5d6dd1829cfa4605c5e817432a8354d365973216d18a4ba2bffd67b1e0c9a619a6

Download Submit
C:\Windows\SysWOW64\KED7K3FGLU5P5O.exe

Filesize
170KB

MD5
20a23e94b9fb5db4552e55ca22aefc91

SHA1
25cf323f7602dbb019e72448fac7603b0050eb0b

SHA256
f9579fb4e4e5faf45f920115e7417c1b4301a91efb9c6bd1c5fba21f092c854e

SHA512
b018bc39e27d6b032e5ce7cd99cc27fd78c707d3774e5e1f41b1ad8c82cbb9c5accd9e0c4dd147cd521ec0fc119003eb6cfe90df4a1daba32cd85a9d5556fcd7

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
64c582a39d9ad0b0932a3aeffd4105bc

SHA1
44712be75130efb3daf564fcfab732ca52de7a27

SHA256
3a82d623fc6af1a709dd8379701aa7a07069c22cc09d9b86fb6e9b891ac9f4f7

SHA512
cac666a646d411aa9f192a72aaa35bff42eaf435d853762c679a07e429ee92292308db4abe4bc33605f7f833f85297a4d6b7144502c3b5be71e172ccc3042588

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
5494c394ceb7a68118d2ba7a20eb7ea5

SHA1
85dd1868e9cee37e7e471ecf74398a37e34b46eb

SHA256
5afe53edcf72cc94a09de239c6c312b77a5f7dc8152a6a7e9c9f969dadfdf2ed

SHA512
66f18a785a6206eb345ffd53a55ec1b4cc1eab877b4bbcc5182e71cba20cff335e67bf8c821962726a0d29d5a99bffd135eb8b9e749af37eb3b7951c276d3d00

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe

Filesize
170KB

MD5
7ff7fdc2599d2149ca207605fd73eb39

SHA1
465c7595f3c49d2173a48dd879d0adb060459469

SHA256
552358f8db81fc53b30da8e5fddc3fcfa710c45598827cd66dbe8d18488988b1

SHA512
0151916c7b7487970a6655e6d3e39e37df0c3d53aec0ce16a397bc27a203d9f9e344da325c90dea5ce8551ffa46277bd42bd1f0de9759725a3fedfc32e3ebf3a

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe

Filesize
170KB

MD5
2166280e4dea7fd0f4a16a4a76873ce1

SHA1
1dc160912d1fa34ecbebb46248b78ee715e9c5b8

SHA256
156e9a7893eef56628ef2b8cf3f5ee0aa226c880024f39e47ecc093aec564f09

SHA512
ea43266289ae4c33e03ac02fad165fa3f54954612da2c02e86e12dc25b77da0b5f864c4f181ee3871c4d892aab22386037f7d3c584dc7f07b334186b0993adcf

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe

Filesize
170KB

MD5
c24cbba2f22e63e2d07dfb5ddb4fb86d

SHA1
339a5a9aecd4bb0ccbbccd60aaa631be5f92ef47

SHA256
3fd6390efd7cd321de0ebeb347e390aba0de6077d9ccdd919ffbfb76ac67d845

SHA512
f316cc3481c1453bf1deb003b69a44bcaf9680156966691eb91632d4ce4232f7a899ac2f09f03aee8ad00a0a8d02574d995285a84d628db59f09fb7824ddf2e1

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\IXG1Q7W.exe

Filesize
170KB

MD5
e348bbcaeaab1b981b8d4ba34a0ad76b

SHA1
b5d9f66db7b90c11aa16fcf4377cd6e5250675c8

SHA256
92ce0b2f95616bfda6d0d3fa3c824955fcbaf15a859324a4db1f16459ecd77aa

SHA512
f62d27bbc6d1f634f17f6d39eae1a7c7822efbfd1621e6cf0921e87a105165827e1abbf6600932339dced0c5504056ad9cbdd6e3904d3ac65bdd4924ba646d15

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\VYU2Y0S.com

Filesize
170KB

MD5
cdfa5e9b11807338d307228e18e2dc89

SHA1
c38779928bbf82a73131e3f06357ed8728d0f2ae

SHA256
402cbc3aaf9918b5a98a10f26d2b5a423008c1e71b8e6abeb63824bc12567496

SHA512
428a78fb81c34c88a4c89889b3d51b6bb6b3a6330d41c3c4236a5d9ab0fe5adb9c43723f9d7d6cdab81e4ece326397f98c03134125f69809af91a7008eb85171

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
327a5cc07c26be336f7e95ff313d585a

SHA1
21d9c90c4be511b9b1a62e6b3c91a0ee87e3077f

SHA256
17aef605bcf29bed35058fe5a379530170765709343ceee2b6212232017e06ca

SHA512
57c7dca2ed6f38e19ae96d0e7692d1c5bd81068d967f35ddda4cae5e5fc257f94606c08c726b2bec285e53347a79ca9282fdbfa1c53d211df47d0343bd03d33a

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
a24481705cb54222486458f5084c3116

SHA1
20678e4bcd6e05679a9b61a08c1f89860be577f4

SHA256
8de7577e280169530389dfe96e0e72c49c6a8901d603bb6490bcc7b52b2ff9ad

SHA512
df0d54b899f0b72e06d59ea1a3032d5a6694baef3955740197c9aee40f33a91eca1cb5d50e3635f5f7f6479254c2f38761cc4d9ff72c12cbc95b2368d6cd0a4d

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
9067cda111c2ec84cbe091ad6b3da60d

SHA1
5045ce6a2a3adb8837163b985499ce817bc5a106

SHA256
b6d0c785fa34dd9ccf397aaa49abd8d6faf402dd20bf4ba512a41bb904181f06

SHA512
c04ab8d414f77b8b9405894bf6dd90c3a67222b25b11fdd229f8f21023100b4f78817959a23b52c93dcd2802baf649afb7d354cdfae47e1c908401562083dd0d

Download Submit
C:\Windows\VEK7L1W.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
170KB

MD5
c94d266f3949528e596a41e60b681e9f

SHA1
78f325edf4c57c3e1b1133a3640966b7057d86e6

SHA256
c6886dde5f3381ee176f01fcda844192de4a2434694000bbbcbae8f19eb98f1d

SHA512
def9853f85fa2f23e3c92893bfc9a0624792579e9da77ff42d8205fff9ed073e804ff45b1354184f64060fb888b694d7d5ceb9348d817a04e44fe4e627393454

Download Submit
C:\Windows\YDN1V4D.exe

Filesize
170KB

MD5
91d4110fd93dd17d44190225d3a57348

SHA1
e191b8bf628df32268d91008a18f4386365e3188

SHA256
dac3994efbefc5f0895f0ce8c39744003cb80e5bb99d608ea5d17df11a4cafb4

SHA512
ed07e87630e22193c6e514a8ae5f484ecb9fac931c53c2f80708e93266d41973e36d8abb16e33ed1482d1e14153ab78ee07868d246bae97c8c7555d60cb80aa2

Download Submit
C:\Windows\YDN1V4D.exe

Filesize
170KB

MD5
8d9b0d7fa975743d6ec354d210119603

SHA1
7ccf00fbe1feb4080185eb42b7a5f17e430cad27

SHA256
ac035131e19c863adfaa77f96532060b2c755cf29eabc949dc5db5b5fb949348

SHA512
6404f9315d03b639666501c473ad4130b0a1a694a350a98cbef3747ef6c35b64b3ea356ccbd2ad3b711c574d7208d21de7e1128706e1ffd2542372f905b21df4

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
d1ee55dda1048bdb13953a00759a05f0

SHA1
9e1f5772c8eb0a1c0d748c5ae20fb23b2929b95e

SHA256
a113b6c17a773b3eb04a0e7724c60de9479e52f7111de1e97b2f924b22b45432

SHA512
b803d5aa05deb31f6e91cc2184e3e256a1df9a4a7cd90cea85d507b3b5366e949775d7c10763199ebb56c54fc917093c7e47e1703d43a1dbe5ff06cf763d0be7

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
e311ef4df4009a9926e9d774568ad810

SHA1
8b546b1b626a28a4b117359065e43d5217cb9cfe

SHA256
dba59c4d0417da694c70255a4741b94c92bd6206b932870b4d1b8eefe7fbd9b8

SHA512
597399a7c5cb4b34de5ce070ccd2c2684bb601dded6456eb0bbd7a0cd13d0d4cefbbdc3a9a445840f033a49ec2554c46764535e115897623476ab6be64a89452

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
bb3c024a20350fd9f1f31ae8dce3ec0e

SHA1
29e02419ed33c771c3bfe255d41007af9795ab25

SHA256
3d6dc948c793598e28de3bbe9345e9f891c1a6371c2a0e0444475a56b05c0439

SHA512
85cc23c8f2b31c284f17e6a3faf91e5d50dea9a9495f7a04623de06d3b218c3f2f2d623911987f4d2a4755762b317ee55e5aede5362b308b7fc4ed68d17f6fdb

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
1344597bb00e4935b4d8cae5315d38f8

SHA1
f12e33a1e2bab4f42f040947b651bfc0a385889d

SHA256
360f958dea835b62ce3b318114e8edd92982a0b2e76b041b89756987d22fe761

SHA512
e2b259e57990bf962e6a79b9f61d8b0938aa2a2378944e7b40ebefa30d83b19a01c7596cf809078e557054e255a63800b9659921d6d9ac6dc3d619fda90af706

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
90d44e0cfc192243bb24c89154272f21

SHA1
085da17090a18c8e4a49b3e7fc05ec0d26bc463a

SHA256
e5bb03e01523c1dc4938766d7c4e727dbdfd141d8d166a7078ccfd447f1c5230

SHA512
d0004eaffc5136143d7f1eb701cbe14258fe125ecf8fc4df1f86f4f5bb9ea58beb8e363bf6f5796b77bbe55e43bc82a6fd89a28d47b85efbec134520a94bc4a0

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
220cd5b36a14cfc83715839698aeaaa8

SHA1
e2957eb14abffa17ad61b7555221803444f92288

SHA256
eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1

SHA512
65f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
d738f36032f366e97e0a598f5d7e29c3

SHA1
56e6cd474d634e71390b036b80d69d91ad8908d4

SHA256
c45b2257d2b274708ff2c60d6b2fd3c3af0915b030e041c17a52c0f0c10d5d1c

SHA512
0f43e3139087a94a23d554b749fac83e814e1ee01bf0f23fab4d465fada078a29e255d01be808c1d7475925e43f3550ada8d153c7aff346cb5bd5d54c6b97b79

Download Submit
memory/384-58-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/384-310-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-363-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-332-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-393-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-375-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-349-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-312-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-88-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2812-326-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/3124-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3124-311-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4400-340-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4400-309-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4648-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4648-291-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-357-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-313-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-351-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-334-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-345-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-365-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-371-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-338-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-377-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-389-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5044-125-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads