Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 00:44
Behavioral task
behavioral1
Sample
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
-
Size
45KB
-
MD5
66caf603baa5fcce64131292a13afe30
-
SHA1
7b8710d4c2a373f354d6b4dc1ad83422b3181ea1
-
SHA256
0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3
-
SHA512
b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f
-
SSDEEP
768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwe:/a8jroAbRB+XWCQLZeIdSwk9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe -
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral2/files/0x0007000000023413-8.dat aspack_v212_v242 behavioral2/files/0x0007000000023416-100.dat aspack_v212_v242 behavioral2/files/0x000700000002341a-106.dat aspack_v212_v242 behavioral2/files/0x000700000002341c-114.dat aspack_v212_v242 behavioral2/files/0x000700000002341d-120.dat aspack_v212_v242 behavioral2/files/0x000700000002341e-126.dat aspack_v212_v242 behavioral2/files/0x000700000002341f-133.dat aspack_v212_v242 behavioral2/files/0x000700000002341f-170.dat aspack_v212_v242 behavioral2/files/0x000700000002341f-208.dat aspack_v212_v242 behavioral2/files/0x0007000000023419-284.dat aspack_v212_v242 behavioral2/files/0x0007000000023418-282.dat aspack_v212_v242 behavioral2/files/0x000700000002341f-297.dat aspack_v212_v242 -
Executes dropped EXE 30 IoCs
pid Process 2980 babon.exe 4420 IExplorer.exe 2952 winlogon.exe 4580 csrss.exe 1872 lsass.exe 3560 babon.exe 3624 IExplorer.exe 5088 winlogon.exe 4124 babon.exe 2740 csrss.exe 3184 IExplorer.exe 4712 lsass.exe 2544 winlogon.exe 4784 csrss.exe 4544 babon.exe 1408 babon.exe 5116 IExplorer.exe 4192 lsass.exe 2912 IExplorer.exe 1620 winlogon.exe 4496 csrss.exe 2972 winlogon.exe 2376 babon.exe 2592 csrss.exe 4904 IExplorer.exe 3408 lsass.exe 4608 lsass.exe 2884 winlogon.exe 2056 csrss.exe 2224 lsass.exe -
Loads dropped DLL 5 IoCs
pid Process 3560 babon.exe 4124 babon.exe 4544 babon.exe 1408 babon.exe 2376 babon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\H: babon.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\B: babon.exe File opened (read-only) \??\E: babon.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\O: babon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\M: babon.exe File opened (read-only) \??\S: babon.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\P: csrss.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf babon.exe File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe File created C:\autorun.inf babon.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\shell.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\babon.scr 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\IExplorer.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\babon.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe winlogon.exe File created C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe csrss.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" lsass.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" babon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" babon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s2359 = "Babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Mouse\SwapMouseButtons = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\s1159 = "Babon" lsass.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2980 babon.exe 4580 csrss.exe 2952 winlogon.exe 4420 IExplorer.exe 1872 lsass.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2980 babon.exe 4420 IExplorer.exe 2952 winlogon.exe 4580 csrss.exe 1872 lsass.exe 3560 babon.exe 3624 IExplorer.exe 5088 winlogon.exe 4124 babon.exe 2740 csrss.exe 3184 IExplorer.exe 4712 lsass.exe 2544 winlogon.exe 4784 csrss.exe 4544 babon.exe 4192 lsass.exe 1408 babon.exe 5116 IExplorer.exe 2912 IExplorer.exe 1620 winlogon.exe 2972 winlogon.exe 4496 csrss.exe 2376 babon.exe 2592 csrss.exe 4904 IExplorer.exe 3408 lsass.exe 2884 winlogon.exe 4608 lsass.exe 2056 csrss.exe 2224 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3900 wrote to memory of 2980 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 82 PID 3900 wrote to memory of 2980 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 82 PID 3900 wrote to memory of 2980 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 82 PID 3900 wrote to memory of 4420 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 83 PID 3900 wrote to memory of 4420 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 83 PID 3900 wrote to memory of 4420 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 83 PID 3900 wrote to memory of 2952 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 84 PID 3900 wrote to memory of 2952 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 84 PID 3900 wrote to memory of 2952 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 84 PID 3900 wrote to memory of 4580 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 85 PID 3900 wrote to memory of 4580 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 85 PID 3900 wrote to memory of 4580 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 85 PID 3900 wrote to memory of 1872 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 86 PID 3900 wrote to memory of 1872 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 86 PID 3900 wrote to memory of 1872 3900 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 86 PID 2980 wrote to memory of 3560 2980 babon.exe 90 PID 2980 wrote to memory of 3560 2980 babon.exe 90 PID 2980 wrote to memory of 3560 2980 babon.exe 90 PID 2980 wrote to memory of 3624 2980 babon.exe 91 PID 2980 wrote to memory of 3624 2980 babon.exe 91 PID 2980 wrote to memory of 3624 2980 babon.exe 91 PID 2980 wrote to memory of 5088 2980 babon.exe 92 PID 2980 wrote to memory of 5088 2980 babon.exe 92 PID 2980 wrote to memory of 5088 2980 babon.exe 92 PID 4420 wrote to memory of 4124 4420 IExplorer.exe 93 PID 4420 wrote to memory of 4124 4420 IExplorer.exe 93 PID 4420 wrote to memory of 4124 4420 IExplorer.exe 93 PID 2980 wrote to memory of 2740 2980 babon.exe 94 PID 2980 wrote to memory of 2740 2980 babon.exe 94 PID 2980 wrote to memory of 2740 2980 babon.exe 94 PID 4420 wrote to memory of 3184 4420 IExplorer.exe 95 PID 4420 wrote to memory of 3184 4420 IExplorer.exe 95 PID 4420 wrote to memory of 3184 4420 IExplorer.exe 95 PID 2980 wrote to memory of 4712 2980 babon.exe 96 PID 2980 wrote to memory of 4712 2980 babon.exe 96 PID 2980 wrote to memory of 4712 2980 babon.exe 96 PID 4420 wrote to memory of 2544 4420 IExplorer.exe 97 PID 4420 wrote to memory of 2544 4420 IExplorer.exe 97 PID 4420 wrote to memory of 2544 4420 IExplorer.exe 97 PID 4420 wrote to memory of 4784 4420 IExplorer.exe 98 PID 4420 wrote to memory of 4784 4420 IExplorer.exe 98 PID 4420 wrote to memory of 4784 4420 IExplorer.exe 98 PID 2952 wrote to memory of 1408 2952 winlogon.exe 99 PID 2952 wrote to memory of 1408 2952 winlogon.exe 99 PID 2952 wrote to memory of 1408 2952 winlogon.exe 99 PID 4580 wrote to memory of 4544 4580 csrss.exe 100 PID 4580 wrote to memory of 4544 4580 csrss.exe 100 PID 4580 wrote to memory of 4544 4580 csrss.exe 100 PID 4580 wrote to memory of 5116 4580 csrss.exe 102 PID 4580 wrote to memory of 5116 4580 csrss.exe 102 PID 4580 wrote to memory of 5116 4580 csrss.exe 102 PID 4420 wrote to memory of 4192 4420 IExplorer.exe 101 PID 4420 wrote to memory of 4192 4420 IExplorer.exe 101 PID 4420 wrote to memory of 4192 4420 IExplorer.exe 101 PID 2952 wrote to memory of 2912 2952 winlogon.exe 103 PID 2952 wrote to memory of 2912 2952 winlogon.exe 103 PID 2952 wrote to memory of 2912 2952 winlogon.exe 103 PID 4580 wrote to memory of 1620 4580 csrss.exe 104 PID 4580 wrote to memory of 1620 4580 csrss.exe 104 PID 4580 wrote to memory of 1620 4580 csrss.exe 104 PID 2952 wrote to memory of 2972 2952 winlogon.exe 106 PID 2952 wrote to memory of 2972 2952 winlogon.exe 106 PID 2952 wrote to memory of 2972 2952 winlogon.exe 106 PID 4580 wrote to memory of 4496 4580 csrss.exe 105 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3900 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3560
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4712
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4420 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4124
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4784
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4580 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5116
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1872 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5afb8e457175b5c058d94bc5eff76dc98
SHA16f461c4c2af1ac9fc0ec7bc514ae5cf4362611ec
SHA256f04a2661b427336fd8d5518349bc831b8e22e37c67b9d1e8bbd79a4548105dfb
SHA512e35d0be66ddd5354d73b4ae0d9bca792267a9a39f93ff723f6cd2eda079a2316ca5a06d90e053355da153fb30fb643556d028565fcf95efe49345e41ca705d91
-
Filesize
45KB
MD5d23754a7f98afba5e6dba1072ad30206
SHA10667f2c80315b238e5dd750630d6819f82c71c6c
SHA2569551ee43aaa3b7772b9c5c275db60ccd92d8cdd0d20ec4f4dbc2a756007a7661
SHA512ed42a2795729664470fc2aea983eacc8994fe2e5a0dd4a895f7a2fc632b85b647c00b1c22b470d955c698717c2a4e8abedb3330285b3b6939ede318e6feadedd
-
Filesize
45KB
MD5a563b8b7d9853aed9bde72432a0f6f68
SHA18164f24bb37fde1b8b9425771367eb7e7d3f8ff6
SHA25643ad02c5af95c4204b77601fdd558227d0729486ca63b35745af2a5eff2c6712
SHA512954f4d67097900e0f825610d370b693b674cead181abb068dcf7f83e0b09f4b14f186f0937b794c9188319d0600e44ee368cc5e77f4c16d2ef97924efd6e806f
-
Filesize
45KB
MD566caf603baa5fcce64131292a13afe30
SHA17b8710d4c2a373f354d6b4dc1ad83422b3181ea1
SHA2560621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3
SHA512b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f
-
Filesize
45KB
MD539dfac887e4173a033f822f4b8d4e93e
SHA13f04f047f7b95c78eabcc05055ce780323f7df6a
SHA256c77e678d46b1d114cb07bec90a5ec2dbe9407e24b42bc56da268fef43b8161ed
SHA51255a7b74bdb775cf7771446304e9c8d295e1c7c92af4253f65ee37654bad12a6596b24aeb75a9905e1e0200b46a57c3cf144dd92b610bd9246bf83b92f67c8197
-
Filesize
45KB
MD5ec0585c48fc147eabc87fd9768044a9c
SHA1616beb5697cd152e0b1c83787fd07c1e1e5fccab
SHA2565ed6d231961220e5bc60298468abe44038f879099dbdb3e3601749b7ddd18901
SHA512372d4bf9de873716e851e972f195b23dcef6cfd31881d63b0664fbe6ec1a53ecd3986e18d672d25fd8ea8d75754178b0a1e0ca7379b6a79d8b7910bf804451c4
-
Filesize
45KB
MD5a3c5002330ca778c741c75724a08c5c8
SHA19173e659d9bd309934969487c283670b3ad90816
SHA25614209bff422a84e1f74794235801358a2a25f9bbb3296e8e6eed16fdcb33821c
SHA5125fc5b4c0842b39c11e79ea87a6cd79892d9b400ba1713e31a2215719d5ed30ebcdb680b62651dd1f559be2a467d2eedc21e15f1cb0084ce9d588288d563cde69
-
Filesize
45KB
MD544d63024f388f55d9846b5e03103d12d
SHA18f6f984824bd4ece5878964f8246a6c4520842f6
SHA256f66038a1e647f2baa00f12984e73c54124ea85800036cf25987347b23bdd6110
SHA5127cc31f6a302d68a84354375cafe62dd7318b9bc250ebc061de00d2e91ec6e9450d5d0c618c54baa99229d5db8ee8e60b1cd3c518350460d0a37c1af856c5a042
-
Filesize
45KB
MD5718731a4b35a1d4b5135ff52c71dc7af
SHA162b0c83e1e8b8ea826f5b2b00c4a61ee8374f9b1
SHA256a6f6fa6287ec7ad64b7a23f69e601ae16d009d084878639ce023a285f9995d8e
SHA512058247cd6104fd78db588417ca7f7c81a3d6078e868cf440d8b28118421db67f0315934e90b746dc34e0f0e3ed8b327beacd16a97ccfa45067211d0b6c8c26e8
-
Filesize
45KB
MD5ab9cdfb0834cfbf61695fd424186604e
SHA11d76a182235c0e029a8a405eef856e9e9d0928ac
SHA256592d25f3a3018e87623e57e1fd7b0f16fdb0fb2c1a93e050102071109482704a
SHA5122e1981a5d8ccf1b994feda61fcab152d6ddc663d75c05e62ae9d67194c87cf55e8a2456943d30c3f47955895f95a681c6a668c48bcf185c5fba9faed56273bba
-
Filesize
45KB
MD5c2f6b3f0e369b84f7b9845fb9bb9c70b
SHA19cedc11f8b4d8a11e7ecf492f34e8385c39920e9
SHA256f93210c70f8d29573cf3fdda7bab8e2546615c3ebd09adf16a20af18a8d3e857
SHA512438c6fa79b0edd3f3f5b8fca0c7a365a265b6c3875ca63996f0233b01ee4bef6f2ea47c19a2ef17aead603d38c810f3007bfef8a75ed36010ed2f07b2bab9ad6
-
Filesize
45KB
MD57ed4daa96b427cb139e7838b8ffea59c
SHA1b3c5ed0969859745832bc56290be9e8646a6e7fe
SHA2566a1f8940d60d7672911b731ff7ecddea36cbbdd06ba8df8eb5319838f5978af1
SHA5124d31f7b7b38c7422456a1d5c8d941046f97a306cacdc58893838401dda84a27f4db8d461fb4b42ed1cf56e30e6ab8a58e1e971d97e80d5e813766c4245c0a2b7
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
416B
MD58c460e27a1949370d14f20942ef964c3
SHA1fb1f75839903c83911b45b49956792d27db56185
SHA2562c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e