6edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
Size

459KB
MD5

11d03a613a3df8fff9895c5a409e4f90
SHA1

6d9cc2824e484ff397d07e14216d4ac1c3a8c9ff
SHA256

6edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327
SHA512

5acef25bcbe1a157c7292f6543a853924a803727f4a3b2999ba5bba9e7acd9823b8afba83172b738a1dd5e7ccb4c78f8b796dab10243ae4361a6f18cca34d791
SSDEEP

6144:GY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zu:9nWwvHpVmXpjJIUd2cUusvalxzu

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\\JYI1R8Y.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000016287-155.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
2700	service.exe
2100	smss.exe
2524	winlogon.exe
2520	system.exe
2228	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016287-155.dat	upx
behavioral1/memory/2520-240-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral1/memory/2520-250-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGM2W4F0 = "C:\\Windows\\system32\\LGE7L3HHMV6R6P.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0R8YMV = "C:\\Windows\\CFP2W4F.exe"	system.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File created	\??\UNC\SCFGBRBT\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\M$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\N$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\W$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\I$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\V$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\Y$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\D$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\L$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\O$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\Q$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\B$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\J$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\R$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\U$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\E$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\S$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\X$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\F$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\G$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\P$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\T$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\Z$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\A$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\C$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\H$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\K$\desktop.ini	lsass.exe
File created	\??\UNC\SCFGBRBT\ADMIN$\desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	smss.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGE7L3H.cmd	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	lsass.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\CFP2W4F.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File created	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\zia02800	system.exe
File opened for modification	C:\Windows\HMV6R6P.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\HMV6R6P.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\CFP2W4F.exe	winlogon.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\moonlight.dll	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com	service.exe
File opened for modification	C:\Windows\CFP2W4F.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\CFP2W4F.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File created	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\CFP2W4F.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com	system.exe
File opened for modification	C:\Windows\HMV6R6P.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\HMV6R6P.exe	winlogon.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	system.exe
File opened for modification	C:\Windows\HMV6R6P.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2520	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
2700	service.exe
2100	smss.exe
2524	winlogon.exe
2520	system.exe
2228	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2700	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 2700	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 2700	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 2700	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 2100	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 2100	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 2100	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 2100	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 2520	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	30
PID 2040 wrote to memory of 2520	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	30
PID 2040 wrote to memory of 2520	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	30
PID 2040 wrote to memory of 2520	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	30
PID 2040 wrote to memory of 2524	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	31
PID 2040 wrote to memory of 2524	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	31
PID 2040 wrote to memory of 2524	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	31
PID 2040 wrote to memory of 2524	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	31
PID 2040 wrote to memory of 2228	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	32
PID 2040 wrote to memory of 2228	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	32
PID 2040 wrote to memory of 2228	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	32
PID 2040 wrote to memory of 2228	2040	11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe	32

C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CFP2W4F.exe

Filesize
459KB

MD5
370477a39a749ec9b034e7f0a1448fed

SHA1
c4ac70e98c3715dc3110da1eb089f1953f86279e

SHA256
3c83356a65381eafbd8e07a0dd5dbaa44273b6f7d8d697b61d73b7941990df55

SHA512
2993690fd9f51718fc5dbed15be6999a8bbb8401eff64478f293c87e841274684f272884ec32ce1e4be76079e8158e7169643ad835d5fd56dfc925a856f344f2

Download Submit
C:\Windows\HMV6R6P.exe

Filesize
459KB

MD5
01db8e1a80423dec8c117df2bed1d51d

SHA1
c2f7fe4f86dc982727a342eb8618226dafff40ee

SHA256
86746ce45a28f0f911b78e1c2afad04c9b42d656db135fd572cd06d0a9abbea1

SHA512
3aef77d6f73fc05beb9bfab69a160db734b694e6c94d727954aefa4e5b7de9ab92e0c94f34946c123ffa17984d14964fda386aea06c64b794024b7245ef3208c

Download Submit
C:\Windows\HMV6R6P.exe

Filesize
459KB

MD5
11d03a613a3df8fff9895c5a409e4f90

SHA1
6d9cc2824e484ff397d07e14216d4ac1c3a8c9ff

SHA256
6edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327

SHA512
5acef25bcbe1a157c7292f6543a853924a803727f4a3b2999ba5bba9e7acd9823b8afba83172b738a1dd5e7ccb4c78f8b796dab10243ae4361a6f18cca34d791

Download Submit
C:\Windows\HMV6R6P.exe

Filesize
459KB

MD5
9d0d0f633cf7dbe6c2b87fdae2b599dc

SHA1
a6af64e5c295b047117b5f40a6d6613e777142a9

SHA256
e625ba7b5eb4e6be37b33b134b46c231bb93ffc598507c63710c101e335a0ec9

SHA512
fe7c95a750c5db50c6f709a7338cf99d3a8be4e21c86faf9f51ecdac7402b90425bef6cc6e864ee56c785ef9f25da945dc6c79eb5e765ee26205579711d12007

Download Submit
C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe

Filesize
459KB

MD5
b7ae543ff9319907b022430754aaa31b

SHA1
2fc7238af694cf9891582fbb86dcfc7fc6fe4a82

SHA256
2d41523925e6b885c5a6d1db0fd32a8aca5b21624f2ba27639f02749844cae06

SHA512
6199c9f70839c5c52727f0d42c26d069f9a94895a20073e3e45939c31eadf90ecb2c09cd8e89d28679f9f0aba3541ee8a6716a44a989ebc44837cda9630f765c

Download Submit
C:\Windows\SysWOW64\LGE7L3HHMV6R6P.exe

Filesize
459KB

MD5
ba53c03211a78d5fbedb39b0ffdf4095

SHA1
645b1cb9488c2b292ef324a80e39c2b5ffc7c6e3

SHA256
a935590bddab2c24078080a83d104534ca49b81e624469908dd5217d424e12b7

SHA512
4b78def1da54176218783da761f3f15e340d6eeddc2835edf10dfd212ec213d8a7f18f963ed286bd89a2d5cefdeebbd396712a81944b9cdedc8ef2fa084fd60c

Download Submit
C:\Windows\SysWOW64\RQU2C1M.exe

Filesize
459KB

MD5
57752d1ef18aa391dce8fd441b94d72f

SHA1
8a0608d4bdab186569149bd9ae283bb1ca484a46

SHA256
8b868d25e1d9f2e444474a6c7b75101e1a584f0ce6de38131e22f39303f1f973

SHA512
4ea17f0231944cf206c9501ce44411323a432c6e7ea3af36ab09503c69f3847a86e67988e934fd6813cc013283a412324825dbf3bcd143133e4a3570c691eb97

Download Submit
C:\Windows\SysWOW64\RQU2C1M.exe

Filesize
459KB

MD5
7d5236eba49a2f7cf41e87a2cca49e5b

SHA1
2b1cc8d070f2a92bccb44c64411666a490db2847

SHA256
cbdac394fcc80deadca693827c57c01ed84b5873a6a3431006cb2a127c68365d

SHA512
c2be65db15fdbf238affdd945afff47149347be085d26537b258bd2ae21f883f70b2c13129c4a49f1938d61a72532395a0aac6cc7e7018985e8e7cbb067661b2

Download Submit
C:\Windows\SysWOW64\RQU2C1M.exe

Filesize
459KB

MD5
70a10e5cd95c2d3fd889ccbe0e683e35

SHA1
f1cd80488440d4c05d7a93f77bd813c457803dc7

SHA256
8d08a1ec4901e054d66e6851b9e28737182452ec30df6e92d53c589b7b50ac76

SHA512
c66bf30c183cea0365d984df6baf5e7cc968c13ae9c8315c9802ff40fe9e8d34564069943e118c5b7f9b9759a52313104b26f611f1567496c05557e4c9738393

Download Submit
C:\Windows\SysWOW64\RQU2C1M.exe

Filesize
459KB

MD5
780bbca5ad7cf16c5739eaf0a40648ae

SHA1
df7ddc45d5593e0cd57da1df326e6022e750d33c

SHA256
4a9f456daa0715180744db2e869b6a0d3eb487478c624b42c70df3891a114ba0

SHA512
9cde1566885c1909baedf8e82f020bb703e0828c3a017d9cafc4fc00b5c6ec93490d7a3730a82e72c14d320b40cf4bd77f60001cf07f0f898d355191f97271f8

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
78a1cbc499de9b93482a47627f1c61e7

SHA1
020808c478e04d8c8232ae9df99ff5b85de33326

SHA256
a1db3fe428275dcbcaee487e60f5ab86ca5dff9710cab41585b380db38c66c18

SHA512
e8d1c85ad53b88475323b05ec2f27cf59a86e5b13cffc0e4e7fdf79afa6b0bef66b1020b981e9ba2471973e5b0ec8d4f091dc57849627d9a5c3f3f322b899581

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\JYI1R8Y.exe

Filesize
459KB

MD5
5019a1915a77dbafbdecc65e8fb002bc

SHA1
5a35fc5dd3b673669f6048f8ce331f615007b0d6

SHA256
42a6080f30b401c0a52d08c3ed2f58fc49a4608c81e1bc85c493c776dad48c3a

SHA512
678204a3662af6cf99de1d9acbd6cf826ecf60243d312159d5ccd378897e51a69dc173ac7eabe3cfed284b4f32c2894489c5d1b6bf78e3c147f5e494764d1573

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com

Filesize
459KB

MD5
c939e0b33d3b8f823912a405538be978

SHA1
38e472eb17bcebc46c257f409d225655a44fd393

SHA256
1524e783ae7a22e18a8cf3bebe37b45ae26a7264fd8634811b4041c59e6a0fe2

SHA512
13b27e7c1cefa8587d968e6aeef4fd00144a0f4898cdd73162a26a1a3d2a3e4f4b112a02a22df444c4d52094ca94e01452a5ca2b657ce241b007ec9c502e9084

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\WCW2D0T.com

Filesize
459KB

MD5
f3db55c859084abafea3a163435a0526

SHA1
6aa94304bc3dada708d35976c06ad7450f25479a

SHA256
0599a5be884e0e6d6f2ebba99bde9ee842bf888820914a7ba63c8896ef6e3da5

SHA512
20b6d666663ea5849dc246e39b487a9b2d5d9cae8b58ca9f07a8402d58c751ceeb19a723f86647a64091be98c435f2d133b6f9f87cf47f2177b718b9b66eebc7

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
459KB

MD5
2ced9bbbcbe0d829bed187ee226a44af

SHA1
77b5b2e2a3c0b8f83bbf6c2a792258bce580eade

SHA256
fda93900d74a1078f3963f9c2e02f7dbbc6e748bf3b410d7ee7abcd0d5d70e62

SHA512
e1bc6af1e7ebb800121fc8142ad7256433f85ddd36619dc117727e7a26ca3c5532c9ef89f5a4f4d18824576e6d6e990c8ad7b00390449fa36bb6531d81aca480

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
459KB

MD5
5adcbbf22b6e553517b119d2b0c42951

SHA1
9fc540176bb2e872df2d46ed500e7509dffda572

SHA256
352363e3bde1d276ba9261c6379f6c40b4dfaa587d8600c45bb4a03e413fd8e6

SHA512
c30d380e8b6b585f2705b28a1c1d4e241d9471fd47f4638f5891121c808d9a86463467dba149cdda92268ad0564b5572c6f6511da7b77fcc62100ed122baf2ec

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
459KB

MD5
4a935d64310659fbca2aa672444b6d5c

SHA1
44fc6438cd83710e89394b248c620fce660c2450

SHA256
062e81a2a278f2748fac027ce8b2f08afd59b537ea8695c03d744726c62234f6

SHA512
d4312cda2b7b9f55a5fb4b0fc7556c3af3ed9145109818a6af7bf4c135bd0d6b0824321ac4e6ad690dd560c81c489845702b4fda83d26ce8785db74eb0ccbc40

Download Submit
C:\Windows\XGM8N2Y.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
459KB

MD5
1fbb9e30edd1b300a9606f9694e87d2e

SHA1
9801fd2aace8e4199561d4e6ee592a1485087634

SHA256
0eb131979f83647fc9cc631d7991b7b2363742573e419fdee2c2f87a4b35eb49

SHA512
af60921356d74996e83ad1f2713383bd8fec3c2844e8dde6bc99202d63d77a7eedf26d795b29026a39398464a1a22e692d416006bca37b34a6297aaff00fbcbd

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
c4b8a8c69c01cb54185f2b9b00389020

SHA1
0bf59a8c0c08b2d0aea013670e796dfb3d44deff

SHA256
5a4ce5403b4725c5e9ed26e43d861967c26f0de0b57eebf1812cc729c2dc48f7

SHA512
4ee088d3acca98e2263ef7cec96d29461025f297a026f9fe30b5759a2c7b4abceb11ebc9e8b30ccb876b9bedd66bc692b4a33aefa933b5a8951c5a4837e5cd28

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
222412a7b673f2ecdc4ff160c9fa978c

SHA1
9917fd91cb58b99d38bd73a5a806fb8e97415f68

SHA256
d51b2923593321a3d413c512e622774a8cc1589366284096aee06468a1dca159

SHA512
5701792206f9e9ae977b60d547b8ce953718c847c2c25158a4135dbc5877cb7b5dfcba7e3aaebf8ffb983bfe64b21a6985af978e088bc60071aee7f349b8f927

Download Submit
C:\Windows\lsass.exe

Filesize
459KB

MD5
9784d11115e6f36107b171304d74dfad

SHA1
b7c623866cbe8d93bd369b613c6a7e93f0572250

SHA256
8344d83faaff0ebcebca5b0ea2174d91bb621c0ad5b53b4e1b8683e225082b63

SHA512
212e94bbaa440ff843f20bea9d5bdd49a9cc8ce29d07b5466c0ef53ada7a11b7c134dfab38c1c27b57573868bf1906be37419246de8ab9f0f78275ab251dcce3

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
46b965cd41e27870e027040d858d9dbc

SHA1
a0abba4c006f43e3d2db8cfcfc73b37433f6beeb

SHA256
6a532c72ef13f2bf27592051ddb9e834af475c2aa452ac127f075b9b793d9ca3

SHA512
ce8077df1b4c3c9db720afd41cadaf62a5b36a4d9fd327491025ff7dd8660c060ee55bb3b08b909e4a17f2e06abe862c43fe1c869be674bd59f23b263bb3fe23

Download Submit
memory/2040-56-0x0000000003660000-0x00000000036D3000-memory.dmp

Filesize
460KB

Download
memory/2040-185-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2040-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2040-57-0x0000000003660000-0x00000000036D3000-memory.dmp

Filesize
460KB

Download
memory/2040-55-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2100-249-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2100-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2228-253-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2228-186-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2520-150-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2520-240-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2520-250-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2520-252-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2524-251-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2524-149-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2700-248-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2700-58-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads