Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 21:56
Static task
static1
Behavioral task
behavioral1
Sample
11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
-
Size
459KB
-
MD5
11d03a613a3df8fff9895c5a409e4f90
-
SHA1
6d9cc2824e484ff397d07e14216d4ac1c3a8c9ff
-
SHA256
6edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327
-
SHA512
5acef25bcbe1a157c7292f6543a853924a803727f4a3b2999ba5bba9e7acd9823b8afba83172b738a1dd5e7ccb4c78f8b796dab10243ae4361a6f18cca34d791
-
SSDEEP
6144:GY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zu:9nWwvHpVmXpjJIUd2cUusvalxzu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\\JYI1R8Y.exe\"" system.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe -
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0009000000016287-155.dat acprotect -
Executes dropped EXE 5 IoCs
pid Process 2700 service.exe 2100 smss.exe 2524 winlogon.exe 2520 system.exe 2228 lsass.exe -
Loads dropped DLL 8 IoCs
pid Process 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
resource yara_rule behavioral1/files/0x0009000000016287-155.dat upx behavioral1/memory/2520-240-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral1/memory/2520-250-0x0000000010000000-0x0000000010075000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGM2W4F0 = "C:\\Windows\\system32\\LGE7L3HHMV6R6P.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0R8YMV = "C:\\Windows\\CFP2W4F.exe" system.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File created \??\UNC\SCFGBRBT\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\M$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\N$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\W$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\I$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\V$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\Y$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\D$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\L$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\O$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\Q$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\B$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\J$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\R$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\U$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\E$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\S$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\X$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\F$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\G$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\P$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\T$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\Z$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\A$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\C$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\H$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\K$\desktop.ini lsass.exe File created \??\UNC\SCFGBRBT\ADMIN$\desktop.ini lsass.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: service.exe File opened (read-only) \??\K: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\U: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\X: service.exe File opened (read-only) \??\Q: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\W: service.exe File opened (read-only) \??\Y: service.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DSU3X4J 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe service.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J system.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd smss.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd service.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J lsass.exe File opened for modification C:\Windows\SysWOW64\systear.dll 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe service.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe lsass.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J smss.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd system.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\DSU3X4J service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe smss.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe smss.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe system.exe File opened for modification C:\Windows\SysWOW64\RQU2C1M.exe lsass.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe winlogon.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe lsass.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe service.exe File opened for modification C:\Windows\lsass.exe service.exe File opened for modification C:\Windows\CFP2W4F.exe service.exe File opened for modification C:\Windows\onceinabluemoon.mid winlogon.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe winlogon.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd winlogon.exe File created C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\zia02800 system.exe File opened for modification C:\Windows\HMV6R6P.exe service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com winlogon.exe File opened for modification C:\Windows\moonlight.dll lsass.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe File opened for modification C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll lsass.exe File opened for modification C:\Windows\HMV6R6P.exe smss.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E} system.exe File opened for modification C:\Windows\CFP2W4F.exe winlogon.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe system.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\onceinabluemoon.mid service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe smss.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd smss.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe winlogon.exe File opened for modification C:\Windows\moonlight.dll smss.exe File opened for modification C:\Windows\cypreg.dll system.exe File opened for modification C:\Windows\onceinabluemoon.mid lsass.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip system.exe File opened for modification C:\Windows\system\msvbvm60.dll 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E} smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll system.exe File opened for modification C:\Windows\moonlight.dll 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com service.exe File opened for modification C:\Windows\CFP2W4F.exe smss.exe File opened for modification C:\Windows\lsass.exe winlogon.exe File opened for modification C:\Windows\CFP2W4F.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\cypreg.dll smss.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe File opened for modification C:\Windows\lsass.exe system.exe File created C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip system.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe lsass.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\cypreg.dll service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe smss.exe File opened for modification C:\Windows\cypreg.dll winlogon.exe File opened for modification C:\Windows\CFP2W4F.exe system.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com system.exe File opened for modification C:\Windows\HMV6R6P.exe lsass.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe smss.exe File opened for modification C:\Windows\HMV6R6P.exe winlogon.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe system.exe File opened for modification C:\Windows\HMV6R6P.exe system.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E} 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd service.exe File opened for modification C:\Windows\lsass.exe smss.exe File opened for modification C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 2520 system.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 2700 service.exe 2100 smss.exe 2524 winlogon.exe 2520 system.exe 2228 lsass.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2700 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2700 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2700 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2700 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 28 PID 2040 wrote to memory of 2100 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 29 PID 2040 wrote to memory of 2100 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 29 PID 2040 wrote to memory of 2100 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 29 PID 2040 wrote to memory of 2100 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 29 PID 2040 wrote to memory of 2520 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 30 PID 2040 wrote to memory of 2520 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 30 PID 2040 wrote to memory of 2520 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 30 PID 2040 wrote to memory of 2520 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 30 PID 2040 wrote to memory of 2524 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 31 PID 2040 wrote to memory of 2524 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 31 PID 2040 wrote to memory of 2524 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 31 PID 2040 wrote to memory of 2524 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 31 PID 2040 wrote to memory of 2228 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 32 PID 2040 wrote to memory of 2228 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 32 PID 2040 wrote to memory of 2228 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 32 PID 2040 wrote to memory of 2228 2040 11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD5370477a39a749ec9b034e7f0a1448fed
SHA1c4ac70e98c3715dc3110da1eb089f1953f86279e
SHA2563c83356a65381eafbd8e07a0dd5dbaa44273b6f7d8d697b61d73b7941990df55
SHA5122993690fd9f51718fc5dbed15be6999a8bbb8401eff64478f293c87e841274684f272884ec32ce1e4be76079e8158e7169643ad835d5fd56dfc925a856f344f2
-
Filesize
459KB
MD501db8e1a80423dec8c117df2bed1d51d
SHA1c2f7fe4f86dc982727a342eb8618226dafff40ee
SHA25686746ce45a28f0f911b78e1c2afad04c9b42d656db135fd572cd06d0a9abbea1
SHA5123aef77d6f73fc05beb9bfab69a160db734b694e6c94d727954aefa4e5b7de9ab92e0c94f34946c123ffa17984d14964fda386aea06c64b794024b7245ef3208c
-
Filesize
459KB
MD511d03a613a3df8fff9895c5a409e4f90
SHA16d9cc2824e484ff397d07e14216d4ac1c3a8c9ff
SHA2566edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327
SHA5125acef25bcbe1a157c7292f6543a853924a803727f4a3b2999ba5bba9e7acd9823b8afba83172b738a1dd5e7ccb4c78f8b796dab10243ae4361a6f18cca34d791
-
Filesize
459KB
MD59d0d0f633cf7dbe6c2b87fdae2b599dc
SHA1a6af64e5c295b047117b5f40a6d6613e777142a9
SHA256e625ba7b5eb4e6be37b33b134b46c231bb93ffc598507c63710c101e335a0ec9
SHA512fe7c95a750c5db50c6f709a7338cf99d3a8be4e21c86faf9f51ecdac7402b90425bef6cc6e864ee56c785ef9f25da945dc6c79eb5e765ee26205579711d12007
-
Filesize
459KB
MD5b7ae543ff9319907b022430754aaa31b
SHA12fc7238af694cf9891582fbb86dcfc7fc6fe4a82
SHA2562d41523925e6b885c5a6d1db0fd32a8aca5b21624f2ba27639f02749844cae06
SHA5126199c9f70839c5c52727f0d42c26d069f9a94895a20073e3e45939c31eadf90ecb2c09cd8e89d28679f9f0aba3541ee8a6716a44a989ebc44837cda9630f765c
-
Filesize
459KB
MD5ba53c03211a78d5fbedb39b0ffdf4095
SHA1645b1cb9488c2b292ef324a80e39c2b5ffc7c6e3
SHA256a935590bddab2c24078080a83d104534ca49b81e624469908dd5217d424e12b7
SHA5124b78def1da54176218783da761f3f15e340d6eeddc2835edf10dfd212ec213d8a7f18f963ed286bd89a2d5cefdeebbd396712a81944b9cdedc8ef2fa084fd60c
-
Filesize
459KB
MD557752d1ef18aa391dce8fd441b94d72f
SHA18a0608d4bdab186569149bd9ae283bb1ca484a46
SHA2568b868d25e1d9f2e444474a6c7b75101e1a584f0ce6de38131e22f39303f1f973
SHA5124ea17f0231944cf206c9501ce44411323a432c6e7ea3af36ab09503c69f3847a86e67988e934fd6813cc013283a412324825dbf3bcd143133e4a3570c691eb97
-
Filesize
459KB
MD57d5236eba49a2f7cf41e87a2cca49e5b
SHA12b1cc8d070f2a92bccb44c64411666a490db2847
SHA256cbdac394fcc80deadca693827c57c01ed84b5873a6a3431006cb2a127c68365d
SHA512c2be65db15fdbf238affdd945afff47149347be085d26537b258bd2ae21f883f70b2c13129c4a49f1938d61a72532395a0aac6cc7e7018985e8e7cbb067661b2
-
Filesize
459KB
MD570a10e5cd95c2d3fd889ccbe0e683e35
SHA1f1cd80488440d4c05d7a93f77bd813c457803dc7
SHA2568d08a1ec4901e054d66e6851b9e28737182452ec30df6e92d53c589b7b50ac76
SHA512c66bf30c183cea0365d984df6baf5e7cc968c13ae9c8315c9802ff40fe9e8d34564069943e118c5b7f9b9759a52313104b26f611f1567496c05557e4c9738393
-
Filesize
459KB
MD5780bbca5ad7cf16c5739eaf0a40648ae
SHA1df7ddc45d5593e0cd57da1df326e6022e750d33c
SHA2564a9f456daa0715180744db2e869b6a0d3eb487478c624b42c70df3891a114ba0
SHA5129cde1566885c1909baedf8e82f020bb703e0828c3a017d9cafc4fc00b5c6ec93490d7a3730a82e72c14d320b40cf4bd77f60001cf07f0f898d355191f97271f8
-
Filesize
141B
MD578a1cbc499de9b93482a47627f1c61e7
SHA1020808c478e04d8c8232ae9df99ff5b85de33326
SHA256a1db3fe428275dcbcaee487e60f5ab86ca5dff9710cab41585b380db38c66c18
SHA512e8d1c85ad53b88475323b05ec2f27cf59a86e5b13cffc0e4e7fdf79afa6b0bef66b1020b981e9ba2471973e5b0ec8d4f091dc57849627d9a5c3f3f322b899581
-
Filesize
459KB
MD55019a1915a77dbafbdecc65e8fb002bc
SHA15a35fc5dd3b673669f6048f8ce331f615007b0d6
SHA25642a6080f30b401c0a52d08c3ed2f58fc49a4608c81e1bc85c493c776dad48c3a
SHA512678204a3662af6cf99de1d9acbd6cf826ecf60243d312159d5ccd378897e51a69dc173ac7eabe3cfed284b4f32c2894489c5d1b6bf78e3c147f5e494764d1573
-
Filesize
459KB
MD5c939e0b33d3b8f823912a405538be978
SHA138e472eb17bcebc46c257f409d225655a44fd393
SHA2561524e783ae7a22e18a8cf3bebe37b45ae26a7264fd8634811b4041c59e6a0fe2
SHA51213b27e7c1cefa8587d968e6aeef4fd00144a0f4898cdd73162a26a1a3d2a3e4f4b112a02a22df444c4d52094ca94e01452a5ca2b657ce241b007ec9c502e9084
-
Filesize
459KB
MD5f3db55c859084abafea3a163435a0526
SHA16aa94304bc3dada708d35976c06ad7450f25479a
SHA2560599a5be884e0e6d6f2ebba99bde9ee842bf888820914a7ba63c8896ef6e3da5
SHA51220b6d666663ea5849dc246e39b487a9b2d5d9cae8b58ca9f07a8402d58c751ceeb19a723f86647a64091be98c435f2d133b6f9f87cf47f2177b718b9b66eebc7
-
Filesize
459KB
MD52ced9bbbcbe0d829bed187ee226a44af
SHA177b5b2e2a3c0b8f83bbf6c2a792258bce580eade
SHA256fda93900d74a1078f3963f9c2e02f7dbbc6e748bf3b410d7ee7abcd0d5d70e62
SHA512e1bc6af1e7ebb800121fc8142ad7256433f85ddd36619dc117727e7a26ca3c5532c9ef89f5a4f4d18824576e6d6e990c8ad7b00390449fa36bb6531d81aca480
-
Filesize
459KB
MD55adcbbf22b6e553517b119d2b0c42951
SHA19fc540176bb2e872df2d46ed500e7509dffda572
SHA256352363e3bde1d276ba9261c6379f6c40b4dfaa587d8600c45bb4a03e413fd8e6
SHA512c30d380e8b6b585f2705b28a1c1d4e241d9471fd47f4638f5891121c808d9a86463467dba149cdda92268ad0564b5572c6f6511da7b77fcc62100ed122baf2ec
-
Filesize
459KB
MD54a935d64310659fbca2aa672444b6d5c
SHA144fc6438cd83710e89394b248c620fce660c2450
SHA256062e81a2a278f2748fac027ce8b2f08afd59b537ea8695c03d744726c62234f6
SHA512d4312cda2b7b9f55a5fb4b0fc7556c3af3ed9145109818a6af7bf4c135bd0d6b0824321ac4e6ad690dd560c81c489845702b4fda83d26ce8785db74eb0ccbc40
-
Filesize
459KB
MD51fbb9e30edd1b300a9606f9694e87d2e
SHA19801fd2aace8e4199561d4e6ee592a1485087634
SHA2560eb131979f83647fc9cc631d7991b7b2363742573e419fdee2c2f87a4b35eb49
SHA512af60921356d74996e83ad1f2713383bd8fec3c2844e8dde6bc99202d63d77a7eedf26d795b29026a39398464a1a22e692d416006bca37b34a6297aaff00fbcbd
-
Filesize
417KB
MD5c4b8a8c69c01cb54185f2b9b00389020
SHA10bf59a8c0c08b2d0aea013670e796dfb3d44deff
SHA2565a4ce5403b4725c5e9ed26e43d861967c26f0de0b57eebf1812cc729c2dc48f7
SHA5124ee088d3acca98e2263ef7cec96d29461025f297a026f9fe30b5759a2c7b4abceb11ebc9e8b30ccb876b9bedd66bc692b4a33aefa933b5a8951c5a4837e5cd28
-
Filesize
417KB
MD5222412a7b673f2ecdc4ff160c9fa978c
SHA19917fd91cb58b99d38bd73a5a806fb8e97415f68
SHA256d51b2923593321a3d413c512e622774a8cc1589366284096aee06468a1dca159
SHA5125701792206f9e9ae977b60d547b8ce953718c847c2c25158a4135dbc5877cb7b5dfcba7e3aaebf8ffb983bfe64b21a6985af978e088bc60071aee7f349b8f927
-
Filesize
459KB
MD59784d11115e6f36107b171304d74dfad
SHA1b7c623866cbe8d93bd369b613c6a7e93f0572250
SHA2568344d83faaff0ebcebca5b0ea2174d91bb621c0ad5b53b4e1b8683e225082b63
SHA512212e94bbaa440ff843f20bea9d5bdd49a9cc8ce29d07b5466c0ef53ada7a11b7c134dfab38c1c27b57573868bf1906be37419246de8ab9f0f78275ab251dcce3
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.3MB
MD546b965cd41e27870e027040d858d9dbc
SHA1a0abba4c006f43e3d2db8cfcfc73b37433f6beeb
SHA2566a532c72ef13f2bf27592051ddb9e834af475c2aa452ac127f075b9b793d9ca3
SHA512ce8077df1b4c3c9db720afd41cadaf62a5b36a4d9fd327491025ff7dd8660c060ee55bb3b08b909e4a17f2e06abe862c43fe1c869be674bd59f23b263bb3fe23