33069b2f6265408333fcfeb4da2db77a62c495ec881239eb0ba1975b481735ff

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 12:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Size

91KB
MD5

ddba1ad02c3f6fba97d335bb31029880
SHA1

6527e6ff295d2cc7345c0f589abd617b20da7fce
SHA256

33069b2f6265408333fcfeb4da2db77a62c495ec881239eb0ba1975b481735ff
SHA512

33eb60d974bb1a3c4c9828e49abd6c805e01011bc89e32196d4e54c5993d19507d790cdca0e16fde1b9e511606964919d3dfda412ec8d5db7fe71c5e8d3cbe02
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjLRsjdLaslqdBXvTUL0Hnouy8VjYf:XOJKqsout9LOJKqsout9Yf

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2896	xk.exe
1932	IExplorer.exe
1288	WINLOGON.EXE
1568	CSRSS.EXE
292	SERVICES.EXE
2396	LSASS.EXE
536	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1192-1-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016c5d-8.dat	upx
behavioral1/files/0x0008000000016d05-109.dat	upx
behavioral1/memory/2896-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1192-118-0x00000000003D0000-0x00000000003FF000-memory.dmp	upx
behavioral1/memory/2896-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001720f-115.dat	upx
behavioral1/memory/1932-129-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000173d6-140.dat	upx
behavioral1/memory/1288-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1192-150-0x00000000003D0000-0x00000000003FF000-memory.dmp	upx
behavioral1/memory/1192-149-0x00000000003D0000-0x00000000003FF000-memory.dmp	upx
behavioral1/files/0x0006000000017568-153.dat	upx
behavioral1/memory/1568-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/292-166-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2396-173-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2396-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/536-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1192-190-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
2896	xk.exe
1932	IExplorer.exe
1288	WINLOGON.EXE
1568	CSRSS.EXE
292	SERVICES.EXE
2396	LSASS.EXE
536	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2896	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2896	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2896	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2896	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1932	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 1932	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 1932	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 1932	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 1288	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	30
PID 1192 wrote to memory of 1288	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	30
PID 1192 wrote to memory of 1288	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	30
PID 1192 wrote to memory of 1288	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	30
PID 1192 wrote to memory of 1568	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	31
PID 1192 wrote to memory of 1568	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	31
PID 1192 wrote to memory of 1568	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	31
PID 1192 wrote to memory of 1568	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	31
PID 1192 wrote to memory of 292	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	32
PID 1192 wrote to memory of 292	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	32
PID 1192 wrote to memory of 292	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	32
PID 1192 wrote to memory of 292	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	32
PID 1192 wrote to memory of 2396	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	33
PID 1192 wrote to memory of 2396	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	33
PID 1192 wrote to memory of 2396	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	33
PID 1192 wrote to memory of 2396	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	33
PID 1192 wrote to memory of 536	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	34
PID 1192 wrote to memory of 536	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	34
PID 1192 wrote to memory of 536	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	34
PID 1192 wrote to memory of 536	1192	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ddba1ad02c3f6fba97d335bb31029880_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1192
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1288
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2396
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
ddba1ad02c3f6fba97d335bb31029880

SHA1
6527e6ff295d2cc7345c0f589abd617b20da7fce

SHA256
33069b2f6265408333fcfeb4da2db77a62c495ec881239eb0ba1975b481735ff

SHA512
33eb60d974bb1a3c4c9828e49abd6c805e01011bc89e32196d4e54c5993d19507d790cdca0e16fde1b9e511606964919d3dfda412ec8d5db7fe71c5e8d3cbe02

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
e85374512b9ebfd4023eee4d09620df9

SHA1
2a8fa53bc854b6ba8cb456a774f3cc411268f00e

SHA256
4da7d31cb178db1069ef45249554d4f5ec2e46243368816787bd3f15b9a18182

SHA512
9721e631ddb68d7602acbc1cf892ec9c8032e4992afc5567a4d7bacf4b56b7f35f7b85b849d96400b62aabde47c2315857603eba996411f35b5ae12d8eb483f2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
4973e97065458b2a0434073c1e111ef5

SHA1
c4de962f0315503b6d331f677d34a7c65799902e

SHA256
9fe703aebad5f31ec0331454636aca07b2c46b54abb3e8c28c0acbec86e96201

SHA512
19bbe25b277d20d86f4272a6a58cb4b6282c4ce2dc356ecc7fedd3680ec6cf342e616c7a408a8d09f0970705d4e18be8704e36cbd67919b308b196b5603de1d2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
c25685ec1c51a4bee027f928405bc3cd

SHA1
edec63da13799edc4242320092cdf640aa0eeb2d

SHA256
71eb04db71ae8d2f0e2328cce00814e27569c51be028dd2f6973eb3ee7103271

SHA512
8264305874dba8e6532245247614f0d98237afa5f674c7f2d7049bf2b98740b93503cee378f3f6e87486cc08d64e5c1ff8240b0357c47dfadf191ab545e7f13a

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
e7129c24f2c395e3d4e6499bfd063c3a

SHA1
30c1206c40cabf30876b9fbe94a34bf65f57b452

SHA256
bc07bdbdec8363af4a2d93f276d73ee0bc65c8bbb40cdd854fba24dffd8079cd

SHA512
afe3a640949cefab084a34234507284892fbfd893f06f8c637b09d4ccd5c1c68caf610ad08700ccd92266bd84e88ef247c2b4a5175afc72f0c50a872373984a0

Download Submit
memory/292-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-172-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-125-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-137-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-185-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-150-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-111-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-149-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-110-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1192-118-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1288-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download