Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 17:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe
-
Size
86KB
-
MD5
a4136106faa4cc5647d5e2c92baa8bd0
-
SHA1
28690c6f9c5652bef57aefd02b9869ae04c58335
-
SHA256
a486df087dacf03f45294ec4975955e9f208fa3a6a15c3eeb76783830ad33556
-
SHA512
51ccbd3c4c4fd305d39e65072ebcf1d5727d04929b3f05a5622e9cba5ac68e12494872efcfdc821beff96eb26a8c1ce959c5eef2b0646c371d61b19dcb5ec955
-
SSDEEP
768:1m/QojCpHfx08VJGHR97/RDU5naXUsukvZO5vLJASGlLdtBoKIWYkvZO5vLJASGq:EQojXbpsvkvetAV13BVYkvetAV13BVU
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2452 winlogon.exe 2480 AE 0124 BE.exe 356 winlogon.exe 2840 winlogon.exe -
Loads dropped DLL 8 IoCs
pid Process 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 2452 winlogon.exe 2452 winlogon.exe 2480 AE 0124 BE.exe 2480 AE 0124 BE.exe 356 winlogon.exe 2840 winlogon.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 28 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-StarterEdition-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\perfhost.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\httpapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_neutral_8693053514b10ee9\hidusb.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7MDL0Q.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7400t.exp AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\ActionCenterCPL.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\spwizres.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\lsi_sas.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\cero.rs.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\certreq.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.gpd AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\dot3msm.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMETIP.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\winhttp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\hwrcomp.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\pkeyconfig\pkeyconfig.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\brmfport.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\EAPHost.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIC811DN.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\lsi_fc.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\ws2_32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\esscli.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\cscript.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\com\es-ES AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\LXT650.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\Microsoft.PowerShell.Security.dll-Help.xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\eudcedit.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\cxraptor_merlinc.rom AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\netr28ux.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmetri.inf_amd64_neutral_f89b8a357327f615\mdmmetri.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBJ3150.TBL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMT632.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\Storprop.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\netid.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\DevicePairingFolder.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IE-Troubleshooters-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\AudioSes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\tracert.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\megasas.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NM4RE.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\irprops.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\040c\_setup.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\ppdlic\msmpeg2vdec-ppdlic.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\wiaservc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ImageBasedSetup-IE-Package-Base-Downlevel~31bf3856ad364e35~amd64~~6.3.9600.16428.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS7035N6.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\prnhp003.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR20006.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_neutral_1c5bc8e71eb90127\SensorsAlsDriver.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\rasdial.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\ssText3d.scr.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\stdprov.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\localsec.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\61883.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\WindowsSearchEngine-DL.man AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\ja-JP\htable.xsl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\expand.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a5b315523d5b814 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_netxfx64.inf_31bf3856ad364e35_6.1.7600.16385_none_a32b19d7e784cfa1\xfrmx64.sys AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8d2b22447e6b8ca8\micaut.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\inf\crcdisk.PNF AE 0124 BE.exe File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\0014 AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sqllitese_31bf3856ad364e35_6.1.7601.17514_none_171d15c17a035a11\sqlcese30.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..component.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c7997b02a69ebbe1.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..printing-deployment_31bf3856ad364e35_7.1.7601.16492_none_0ca0762c34b4e8b9.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f72e2c32f7e542ef.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_de-de_c2fd80580d9278c7.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2052\SetupResources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-863_31bf3856ad364e35_6.1.7600.16385_none_2addea58b4e20d54 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b7939e238289bc86 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_netfx-mscorsec_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_e638a346b112adf9\mscorsec.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..nager-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_02fddbc4786f38a8 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_b3a9a17817cbcd9e AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-credssp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c2af39ec784434eb.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\Microsoft.PowerShell.Commands.Diagnostics.dll-Help.xml AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9f6e2269f12dae95\TipRes.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ols-klist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_890e4971f10372e7 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-core-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8909243479fb4364\msoeres.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_661b86f16be30461.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_b7aa02fc1797974c\cintlgnt.ime AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..onal-codepage-10079_31bf3856ad364e35_6.1.7600.16385_none_82e75d00e09808f4.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_server-help-chm.pmc_lh.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1613e17f123b0d51.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen# AE 0124 BE.exe File opened for modification C:\Windows\Cursors\pen_im.cur AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1107dcb1e9c5b5e5 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..ormancebasecounters_31bf3856ad364e35_6.1.7600.16385_none_8d682f6a76cad93f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.7601.17514_none_2da67fa978cc211f\propsys.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ec50af274bf7a15fb59ac1f0d353b7ea\Microsoft.PowerShell.Commands.Diagnostics.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_d63cc4dd74a11d0b\DpiScaling.exe AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_78673d04435c1b7b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_82af05b7c6f3e6a6\termmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_0bada1de-01a9-4625-8278-69e735f39dd2.xml_5c61e9f5 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_14424567ab0c4d42_mlang.dll.mui_2904864a AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-r..stion-resolver-core_31bf3856ad364e35_6.1.7600.16385_none_fcf27d7d89ee8e4b\radarrs.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sstext3d.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_87e53a63ef61570f\ssText3d.scr.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-devicemetadataparsers_31bf3856ad364e35_6.1.7600.16385_none_c6c96b821da83d30\DeviceMetadataParsers.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-getuname.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ec6f8c0df80bc28f\getuname.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_networking-mpssvc-admin_31bf3856ad364e35_6.1.7601.17514_none_03783362986e804b\AuthFWGP.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0a2f4680d5ae26b7_sti.dll.mui_00a4f15b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..l-keyboard-0001045d_31bf3856ad364e35_6.1.7600.16385_none_0747808f9651066f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_11.2.9600.16428_none_4c9247ac83e5583f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_6.1.7601.17514_none_90ba4080c9f2e648\wiaservc.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.6.0.Microsoft.MediaCenter\6.1.0.0__31bf3856ad364e35\Policy.6.0.Microsoft.MediaCenter.config AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_fe9dd62ff9adc95e AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_es-es_53d92c4ec2b28e59\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_prnlx00v.inf_31bf3856ad364e35_6.1.7600.16385_none_6c0be1fa721edae2.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-m..ponents-mdac-rds-ce_31bf3856ad364e35_6.1.7600.16385_none_476d9c0f63df91b0.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_puiobj.dll_343adf45 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-28598_31bf3856ad364e35_6.1.7600.16385_none_552905214589b007\C_28598.NLS AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\3ea902532ba499bf1260da656c900f6c\System.Web.Routing.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\Speech\Engines\SR\ja-JP\l1041.smp AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ipconfig.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23d220931769f95b AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-imapiv2-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d8bd62636b304029 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnrc00a.inf_31bf3856ad364e35_6.1.7600.16385_none_39ffb3f2f8e1ac64\prnrc00a.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_174810fad121184f\DFDTS.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-appman.resources_31bf3856ad364e35_6.1.7600.16385_es-es_496d81b0d258887e.manifest AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2652 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 2652 WINWORD.EXE 2652 WINWORD.EXE 2452 winlogon.exe 2480 AE 0124 BE.exe 2840 winlogon.exe 356 winlogon.exe 2652 WINWORD.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2652 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2652 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2652 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2652 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 28 PID 1772 wrote to memory of 2452 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 29 PID 1772 wrote to memory of 2452 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 29 PID 1772 wrote to memory of 2452 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 29 PID 1772 wrote to memory of 2452 1772 a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe 29 PID 2452 wrote to memory of 2480 2452 winlogon.exe 30 PID 2452 wrote to memory of 2480 2452 winlogon.exe 30 PID 2452 wrote to memory of 2480 2452 winlogon.exe 30 PID 2452 wrote to memory of 2480 2452 winlogon.exe 30 PID 2452 wrote to memory of 356 2452 winlogon.exe 31 PID 2452 wrote to memory of 356 2452 winlogon.exe 31 PID 2452 wrote to memory of 356 2452 winlogon.exe 31 PID 2452 wrote to memory of 356 2452 winlogon.exe 31 PID 2480 wrote to memory of 2840 2480 AE 0124 BE.exe 32 PID 2480 wrote to memory of 2840 2480 AE 0124 BE.exe 32 PID 2480 wrote to memory of 2840 2480 AE 0124 BE.exe 32 PID 2480 wrote to memory of 2840 2480 AE 0124 BE.exe 32 PID 2652 wrote to memory of 2988 2652 WINWORD.EXE 37 PID 2652 wrote to memory of 2988 2652 WINWORD.EXE 37 PID 2652 wrote to memory of 2988 2652 WINWORD.EXE 37 PID 2652 wrote to memory of 2988 2652 WINWORD.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a4136106faa4cc5647d5e2c92baa8bd0_NeikiAnalytics.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\AE 0124 BE.docx"2⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2988
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5537a190888ac8fe6e0432d771de9b4d7
SHA1159f2627bbb20a5f33aea7723e9a41e457ff638d
SHA2569060060ebf2ce46e31fb536de5cf875aca0c1f2b1e0b4eb6b66268226f6bf742
SHA5126141a3f72ec889c6f65ea762e5285d9b24db7014f78bb096721d93c74b20aa7c1a9b317625d8a6c669fe20dfc5953b5b48ecd7ec781b285227a1c0e052d699d0
-
Filesize
86KB
MD5a6723e929f2b6239441b80eef8f54b50
SHA1885c6bde0df35f2158905700e3a421130e0f7190
SHA256b89eea7d6822cef637117340c276f50aee56188cb7552936f2c20ec31e992f37
SHA5129935a2da09ff603121c61a780b3c37c9b2daf0592ec6bc7c616f11608d7c0f05e00c03465c3422c4364ee4c26129fc949aae92983f36376dcfdd440dc13411d0
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
162B
MD533d4b4b3dd1367137727152839c07bac
SHA15f46001484f7d760699c470e794ff40d5a89a997
SHA256eb1f83fdedc471103a23f5ae306fa7db38e56e67e11870579e89a3b0198049d4
SHA5120caad96cf3c5eaa317afa68457285ee93b0c62ebbdebeeece927cb5074b711edd7d0f05ec4e79d7c0478b73b3c51b92e6c07f94a578044a0c847bf7cbd18bbcd
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
40KB
MD56ad88f2f49aebadae453ef04c59d7ee0
SHA1ca8f3d3cb85990492a7614585d4a2568394b1c7d
SHA256575586cc837fc6f57377e3a59a58dc0d0fa6e274b2c1a11ecbc5348b798a1def
SHA51283bf5a5df8e87e8c9b819e3d76769ae94d8411f69dc2d3f513ca7df0a621ca9c6d5cb210b4a92ff29ecfbc66e0744e893f5bb88944fab12b5407a5389ca98c13