e5133d3ccb0977afe48bb15cd4ad2e20ec6e9e0038408b276834dd43c892c536

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Size

91KB
MD5

2995ea99fc306dea426010477880d360
SHA1

118c85391b8e2cda8e47bf5d9a715a25342cc936
SHA256

e5133d3ccb0977afe48bb15cd4ad2e20ec6e9e0038408b276834dd43c892c536
SHA512

8a28d04dab7059f021336026343c5b4fa3080150e34e9ffcecc44ffa6801c1c4a517b4934f1a274c5d3b08f0853da6ba532f4bc33eb7695da57a2350cc1011c5
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTIRsjdf1aM67v32Z9x5nouy8VTQ:EOaHv3YpoutNIOaHv3YpoutNQ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1108	xk.exe
2496	IExplorer.exe
1280	WINLOGON.EXE
1324	CSRSS.EXE
2180	SERVICES.EXE
1680	LSASS.EXE
2724	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000013a6e-8.dat	upx
behavioral1/files/0x0008000000014597-108.dat	upx
behavioral1/memory/1108-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1108-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000146fc-115.dat	upx
behavioral1/memory/2496-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2496-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001471a-127.dat	upx
behavioral1/memory/1720-134-0x00000000006D0000-0x00000000006FF000-memory.dmp	upx
behavioral1/memory/1280-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1720-146-0x00000000006D0000-0x00000000006FF000-memory.dmp	upx
behavioral1/memory/1324-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001487f-150.dat	upx
behavioral1/memory/2180-159-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2180-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014a9a-161.dat	upx
behavioral1/memory/1680-170-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1720-169-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1680-173-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1720-181-0x00000000006D0000-0x00000000006FF000-memory.dmp	upx
behavioral1/memory/2724-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1720-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
1108	xk.exe
2496	IExplorer.exe
1280	WINLOGON.EXE
1324	CSRSS.EXE
2180	SERVICES.EXE
1680	LSASS.EXE
2724	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1108	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 1108	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 1108	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 1108	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2496	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2496	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2496	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2496	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 1280	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 1280	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 1280	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 1280	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	30
PID 1720 wrote to memory of 1324	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1324	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1324	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 1324	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	31
PID 1720 wrote to memory of 2180	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 2180	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 2180	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 2180	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	32
PID 1720 wrote to memory of 1680	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	33
PID 1720 wrote to memory of 1680	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	33
PID 1720 wrote to memory of 1680	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	33
PID 1720 wrote to memory of 1680	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	33
PID 1720 wrote to memory of 2724	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	34
PID 1720 wrote to memory of 2724	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	34
PID 1720 wrote to memory of 2724	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	34
PID 1720 wrote to memory of 2724	1720	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2995ea99fc306dea426010477880d360_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\2995ea99fc306dea426010477880d360_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2995ea99fc306dea426010477880d360_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2496
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
2995ea99fc306dea426010477880d360

SHA1
118c85391b8e2cda8e47bf5d9a715a25342cc936

SHA256
e5133d3ccb0977afe48bb15cd4ad2e20ec6e9e0038408b276834dd43c892c536

SHA512
8a28d04dab7059f021336026343c5b4fa3080150e34e9ffcecc44ffa6801c1c4a517b4934f1a274c5d3b08f0853da6ba532f4bc33eb7695da57a2350cc1011c5

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
9a3b0b13172f05192397c6b807e4bf6b

SHA1
074df428091b60dc86768480d18c86165c559d92

SHA256
6af03fbfa1b95c1ef6294c338df40497e0f0a68285da9c783ef2d77c138a881e

SHA512
ba6933eab6f2df52c52a5c1d72e4192e30765ae78e5180a494fbb2c6dc12dfa3b9faa90bccd87b1bed36141e762ab5b1f9abc05de7e849a8ba25728ff756df43

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
ab735a936bdcc469da2c47137fb78dc1

SHA1
6aa02790e4aa696c945a5946baa64e1df8fd596d

SHA256
920ec7286d53ec443ea0ab0678ff3eab9feb6d2e1bc8bf96d0af90b373b3aaff

SHA512
dd79f6a5f5f49d758719ebbcb9f84e14f5cf0d314b6cf885c25440332a2e3fcf21ff90fa0be61f009e13ee6884d38f5b86338cd1e290abbfe87292913bdc2dc5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
cc82943b84c2808f54ece7e89ebdb91b

SHA1
000915b5bad50771f97538f9e23be0e4fb797c61

SHA256
ad2cd0451fa123467d74ca4ac07a28572203be60bb42a0527ef2f28e39950ab8

SHA512
fde0a91e3179f8b43100fe1117c5a58c52209e630b2932964d01e53b3a5e1472d228f2c3dcae5ebc18cdaa5277c9af1ed44a9dca8a19236c0eb60a7a6392948e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
b8469e42ad482739f8b3aa8b2dc2682c

SHA1
a0066c7aba338ef3a06a3450500bdd21dddc2b2d

SHA256
1ca0059e31ac56df445332b07e7315a8aefc17e8b06d8b1835e768a049db19f7

SHA512
3c2821a9b3eea5ac3baf09e4291de07a4cd7acd8e37a9413c8f4ff7926e8b9e733de5d4741bdcb44765e0925f4a82d8dd478d7df54ccc3810eb43ece41525074

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
fb1140126feb95967942a0aee7de1813

SHA1
341060573456e5676a6386f82484f764b2dd6c6e

SHA256
78b2e83ebdff3f61bdf78585460a39728263c4f9b64e18f99576af16114824a0

SHA512
8c3b52702feb3080203e020ddb16692a2a3dee8ecc8796731ce13ef66ecf3160f22e557978f154730338f395c3668c809744c63ef14268111cffd722da8690d0

Download Submit
memory/1108-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1280-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-134-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/1720-109-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/1720-146-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/1720-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-122-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/1720-181-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/1720-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-110-0x00000000006D0000-0x00000000006FF000-memory.dmp

Filesize
188KB

Download
memory/2180-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2180-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download