1cf0bbb7b82cc430e0ea25f689b0e6499438d7ae71a29d22b15dfd10aba965c0

Analysis

max time kernel
94s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
Size

232KB
MD5

c4c1c3b831d367ecb77e0872c1eff460
SHA1

61a9bbdcacc71343133d63b849efb3ff2dcc2817
SHA256

1cf0bbb7b82cc430e0ea25f689b0e6499438d7ae71a29d22b15dfd10aba965c0
SHA512

8bfae7e3446c562c19f7148d112f9886f013345ddb222501f26ddc1530aa186b099817c0c6eb9dd6139653854b5c6bd81dcc1932fe898619cee89233fe612cb6
SSDEEP

3072:N1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1Vne1i/NU82OMYcYU:vi/NjO5xbg/CSUFLTwMjs6wi/N+O7

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/392-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x00080000000233f1-10.dat	upx
behavioral2/files/0x00070000000233f2-11.dat	upx
behavioral2/memory/392-171-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ie.bat	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\qx.bat	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\windows.exe	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\windows.exe	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422451512"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0de1f02f3a5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15903986-11E6-11EF-BCA5-C2BABBD8D0A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31106546"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106546"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a415000000000200000000001066000000010000200000008b00929d5704997e005a53210c21a7b467bab6a8efd47b69293a26be21dbea12000000000e800000000200002000000094d5766a9e3b06a3eea18439bce8fe6aeea54431d5f2d8374e9160e12236018020000000431a58ca5217939b171e5648c45f1460d646968c74f579ca9afa83429f978be2400000002617d6babb450502beb7386d938c690c939a370c43b0760eb072e74a1d06f19d2efaccd11a38c65e3229e0f6f822053ddb9785fb58bcb2cacd81d9a053af9e58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3924366308"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3928272892"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3924522743"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007bd2b5d2c6d91e4f8f2c8e8b7d41a4150000000002000000000010660000000100002000000088baea7580378c237b038ff45e11252829382a8249518bdadd8097ef8df1e70d000000000e8000000002000020000000be6a8264cb192efea12efdb4a9c0209dfd88c34d3b770fb60b6c8f4dcd9223df2000000030df03937a0f4d0af6125d3a8c3d251eb8414bb5f11acdec8d1c207ccd6be8bd4000000034fa491d942980e85e0c30396ffeb72edfe1698428102540d8026222845f4d13e670d32e9b14ef795394e4b15de748f913e6ce1d4912f5f014f9c584370dbd8a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31106546"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07b2902f3a5da01	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4404	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
4404	iexplore.exe
4404	iexplore.exe
3708	IEXPLORE.EXE
3708	IEXPLORE.EXE
3708	IEXPLORE.EXE
3708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4404	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	82
PID 392 wrote to memory of 4404	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	82
PID 4404 wrote to memory of 3708	4404	iexplore.exe	83
PID 4404 wrote to memory of 3708	4404	iexplore.exe	83
PID 4404 wrote to memory of 3708	4404	iexplore.exe	83
PID 392 wrote to memory of 1128	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	84
PID 392 wrote to memory of 1128	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	84
PID 392 wrote to memory of 1128	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	84
PID 1128 wrote to memory of 4012	1128	cmd.exe	86
PID 1128 wrote to memory of 4012	1128	cmd.exe	86
PID 1128 wrote to memory of 4012	1128	cmd.exe	86
PID 392 wrote to memory of 4380	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	87
PID 392 wrote to memory of 4380	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	87
PID 392 wrote to memory of 4380	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	87
PID 4380 wrote to memory of 2332	4380	cmd.exe	89
PID 4380 wrote to memory of 2332	4380	cmd.exe	89
PID 4380 wrote to memory of 2332	4380	cmd.exe	89
PID 392 wrote to memory of 2596	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	90
PID 392 wrote to memory of 2596	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	90
PID 392 wrote to memory of 2596	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	90
PID 2596 wrote to memory of 2268	2596	cmd.exe	92
PID 2596 wrote to memory of 2268	2596	cmd.exe	92
PID 2596 wrote to memory of 2268	2596	cmd.exe	92
PID 392 wrote to memory of 3116	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	94
PID 392 wrote to memory of 3116	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	94
PID 392 wrote to memory of 3116	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	94
PID 3116 wrote to memory of 2800	3116	cmd.exe	96
PID 3116 wrote to memory of 2800	3116	cmd.exe	96
PID 3116 wrote to memory of 2800	3116	cmd.exe	96
PID 392 wrote to memory of 3604	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	98
PID 392 wrote to memory of 3604	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	98
PID 392 wrote to memory of 3604	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	98
PID 3604 wrote to memory of 3924	3604	cmd.exe	100
PID 3604 wrote to memory of 3924	3604	cmd.exe	100
PID 3604 wrote to memory of 3924	3604	cmd.exe	100
PID 392 wrote to memory of 2400	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	102
PID 392 wrote to memory of 2400	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	102
PID 392 wrote to memory of 2400	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	102
PID 2400 wrote to memory of 1864	2400	cmd.exe	104
PID 2400 wrote to memory of 1864	2400	cmd.exe	104
PID 2400 wrote to memory of 1864	2400	cmd.exe	104
PID 392 wrote to memory of 4724	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	105
PID 392 wrote to memory of 4724	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	105
PID 392 wrote to memory of 4724	392	c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe	105
PID 4724 wrote to memory of 4760	4724	cmd.exe	107
PID 4724 wrote to memory of 4760	4724	cmd.exe	107
PID 4724 wrote to memory of 4760	4724	cmd.exe	107

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4012	attrib.exe
2332	attrib.exe
2268	attrib.exe
2800	attrib.exe
3924	attrib.exe
1864	attrib.exe
4760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c4c1c3b831d367ecb77e0872c1eff460_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4404 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
    3⤵
    - Views/modifies file attributes
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\WINDOWS\windows.exe"
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "c:\system.exe"
    3⤵
    - Views/modifies file attributes
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\favicon[1].htm

Filesize
776B

MD5
0542ad8156f4dfca7ddcfcb62a6cb452

SHA1
485282ba12fc0daf6f6aed96f1ababb8f91a6324

SHA256
c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f

SHA512
0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7KQBJSM0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOWSKSPC\js-sdk-pro.min[1].js

Filesize
33KB

MD5
24bb520e9517f2ed3ed987b46aeaf723

SHA1
846723563d7dd2bff3954f93633b11af0103adc8

SHA256
d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27

SHA512
31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
718e7172e9a46614a4417d1538985331

SHA1
95d6e982f9733761f8e2b2769515c0be9f4c6084

SHA256
c653b06203cb759b1438f9c6fbf991b4d452c6548763a745272c3a9800db2074

SHA512
30b9d6301a5a43e611c04bd84c608d01e3a5766de7d9eb33b667aa482f5aa5b558710b561ba69ba10f5887142e31ea9a4dd7050c83f919cdcb40c59783743e0c

Download Submit
C:\system.exe

Filesize
232KB

MD5
77d6d66d240ef8a52c13817676336f71

SHA1
4a7b87d4b70ccfc68c2aea0e910668fc64dfde9e

SHA256
672e55c8c87810a2a67a464bcd5b88bbb4f177cf20ad49503dc38e8561323d3a

SHA512
797e045eb86d7d1251456445f4cf7336ffdfa12e1a84ef6871d30d4039ac27360f4527b86e38418ea9d9b437ed0d73ee0640a91e68ab978f5fb7402fd100ba6d

Download Submit
memory/392-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/392-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download