cb4433be105e2aaa78abc981c8b81d03b99c9f5085b50a739deb92d74f86c7e1

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Size

91KB
MD5

74ba210144084604c7c8fb2f1099dc10
SHA1

48a40bfbc98db0bf0136df818852ed7ee24fd0db
SHA256

cb4433be105e2aaa78abc981c8b81d03b99c9f5085b50a739deb92d74f86c7e1
SHA512

10f445872ddc4ef81af3ea56c873bcbf544765206cef3a34cc2420171e1653663d4aeadb2ae2c51b4c7a8b83f4d4fc04de79ab4a8337c0f956b8e87e26d82b42
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiC1JRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIuvtYxOuYotvYQIE

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2704	xk.exe
2868	IExplorer.exe
1496	WINLOGON.EXE
1548	CSRSS.EXE
868	SERVICES.EXE
384	LSASS.EXE
1168	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016c7a-8.dat	upx
behavioral1/files/0x0007000000016cf5-109.dat	upx
behavioral1/memory/2020-112-0x0000000002360000-0x000000000238F000-memory.dmp	upx
behavioral1/memory/2704-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000017387-115.dat	upx
behavioral1/memory/2704-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2868-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2868-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000017465-129.dat	upx
behavioral1/memory/1496-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1496-140-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000017474-141.dat	upx
behavioral1/memory/1548-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1548-151-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/868-161-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/868-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0031000000018649-165.dat	upx
behavioral1/files/0x000500000001865b-174.dat	upx
behavioral1/memory/384-182-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2020-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2020-190-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1168-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
2704	xk.exe
2868	IExplorer.exe
1496	WINLOGON.EXE
1548	CSRSS.EXE
868	SERVICES.EXE
384	LSASS.EXE
1168	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2704	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2704	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2704	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2704	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	28
PID 2020 wrote to memory of 2868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 2868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	29
PID 2020 wrote to memory of 1496	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	30
PID 2020 wrote to memory of 1496	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	30
PID 2020 wrote to memory of 1496	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	30
PID 2020 wrote to memory of 1496	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	30
PID 2020 wrote to memory of 1548	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 1548	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 1548	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 1548	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	31
PID 2020 wrote to memory of 868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	32
PID 2020 wrote to memory of 868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	32
PID 2020 wrote to memory of 868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	32
PID 2020 wrote to memory of 868	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	32
PID 2020 wrote to memory of 384	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	33
PID 2020 wrote to memory of 384	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	33
PID 2020 wrote to memory of 384	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	33
PID 2020 wrote to memory of 384	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	33
PID 2020 wrote to memory of 1168	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	34
PID 2020 wrote to memory of 1168	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	34
PID 2020 wrote to memory of 1168	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	34
PID 2020 wrote to memory of 1168	2020	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\74ba210144084604c7c8fb2f1099dc10_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2020
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:384
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
74ba210144084604c7c8fb2f1099dc10

SHA1
48a40bfbc98db0bf0136df818852ed7ee24fd0db

SHA256
cb4433be105e2aaa78abc981c8b81d03b99c9f5085b50a739deb92d74f86c7e1

SHA512
10f445872ddc4ef81af3ea56c873bcbf544765206cef3a34cc2420171e1653663d4aeadb2ae2c51b4c7a8b83f4d4fc04de79ab4a8337c0f956b8e87e26d82b42

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
95b07bb08e62a65ba2b84f7003541d3d

SHA1
2556190d87e5d8f8950fbc321d668e77d286100f

SHA256
48c61bd432fa874c5cd4c406c93c22d59b093b062d65c896ad1c9f072db66ff6

SHA512
681a6f0de84b6aa58ade633c4369da3fc8177c8514feb5d411a8eae361a80650013db61fd8e683e558302ba103bde265bd5485b92f6c044545bce54e39567946

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
919c11bdf3cdf276d31b9bb7ee9e43d0

SHA1
b1ea1f62a78ffda2c1d072a691d54f0e2ee2e163

SHA256
50b616c7c58b55cac1a6cec93d0fff3efb45987d21aa798e4e1048082938445f

SHA512
e4fe4343e2e39dadee26b107823944693560cf43bface83c9ac32a98827d6aa571b92ba80acbcd37d2e70f9c05f3249f26657ea5819fd9a1e8acb45bb8e924be

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
75782d9e6c7c9fc2fea2c8ee306d68cd

SHA1
e02cb59c63742d742cb0289432700d92838dfedc

SHA256
68ddbcf76d7f5d7f9df404fe53f962339edea8c5d31a2308f09aff78e761d0bd

SHA512
c91ccf97257c47f54d962a931f74addc3e8888b3866ae0a11becd28c880283ed7403598e83d29759ae373913372ae1a058234ac2b77d3da4e7eabceb84e5df0a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
4491cf456b215c8a1b387283ded55858

SHA1
ea08408cb0c444e821c022c7eac6a23dc694157e

SHA256
3aa0bbb0048192bf65533d61b148349bf0c26d86605a3701fc1fb2aa14315a11

SHA512
d737def55de0b91074d88a4e5993b641498af405e21907c0401feb352a2516b943e58e1b482d25f54c274634068ae4056f5306b35b4647c8ced78dbe178c9882

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
794c354dfcc912dd99481189bf3e7dad

SHA1
47b59482d11c5613f7ab966c388a369b449746ff

SHA256
5c637e15f123cdb7f09bbd13f646783d8d9968ab016b8e2d5a8da626e85fe772

SHA512
6c02ff5116e5f9fb4830690fa2a896311957213e75ac31f5f5a9f8b58350c7856cb4fb01a13e3eb30988b8f8a74bc0ff8d8520c2344cf4a0638c6365163e053d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
a8d625b12115052315d8cfdd734dd172

SHA1
b39c663f31e3a08ffc987219dd129ff3d7cfc081

SHA256
5d4d0ff9806b339ee32cfb229e7f82d19c4b133ae044a00cd3df27e5f2bed469

SHA512
aa112f63578e4a0aeb8fa3c870a03b57f7fbf98e273861ee47f2e2c7771ce574855c6717892836846f97404599e68ad5e7d5b5ecb678ffa63dc60d389003108d

Download Submit
memory/384-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-112-0x0000000002360000-0x000000000238F000-memory.dmp

Filesize
188KB

Download
memory/2020-160-0x0000000002360000-0x000000000238F000-memory.dmp

Filesize
188KB

Download
memory/2020-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-113-0x0000000002360000-0x000000000238F000-memory.dmp

Filesize
188KB

Download
memory/2020-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-184-0x0000000002360000-0x000000000238F000-memory.dmp

Filesize
188KB

Download
memory/2020-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download