774600447c535d147930a089589ce19687970663f6c2f3137fa06b88c3bd7939

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Size

91KB
MD5

31f497d758bcf910787322198fd0ac60
SHA1

2d9a1931147f584d4eee9e9ddcd0fa3afd62f6d6
SHA256

774600447c535d147930a089589ce19687970663f6c2f3137fa06b88c3bd7939
SHA512

f63fd01181efee50a0de4d828b1c64d68d7d4c97298e4def0906691e02be5d7591553f337280be15c2c54826763740b0d2228a8ac8bc5e46067b0184b05e23e3
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiJJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIJvtYxOuYotvYQIE

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2508	xk.exe
3016	IExplorer.exe
2156	WINLOGON.EXE
1928	CSRSS.EXE
1940	SERVICES.EXE
2872	LSASS.EXE
1184	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016c51-8.dat	upx
behavioral1/files/0x0009000000016cbe-110.dat	upx
behavioral1/memory/1972-108-0x00000000005C0000-0x00000000005EF000-memory.dmp	upx
behavioral1/memory/2508-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016d3e-113.dat	upx
behavioral1/memory/3016-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3016-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d57-127.dat	upx
behavioral1/memory/2156-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016e24-146.dat	upx
behavioral1/memory/1928-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016e4a-152.dat	upx
behavioral1/memory/1928-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1972-161-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1184-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1972-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1184-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001735a-182.dat	upx
behavioral1/memory/2872-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016fed-171.dat	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
File opened for modification	C:\Windows\xk.exe	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
2508	xk.exe
3016	IExplorer.exe
2156	WINLOGON.EXE
1928	CSRSS.EXE
1940	SERVICES.EXE
2872	LSASS.EXE
1184	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2508	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2508	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2508	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2508	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 3016	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 3016	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 3016	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 3016	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	29
PID 1972 wrote to memory of 2156	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	30
PID 1972 wrote to memory of 2156	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	30
PID 1972 wrote to memory of 2156	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	30
PID 1972 wrote to memory of 2156	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	30
PID 1972 wrote to memory of 1928	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 1928	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 1928	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 1928	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	31
PID 1972 wrote to memory of 1940	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	32
PID 1972 wrote to memory of 1940	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	32
PID 1972 wrote to memory of 1940	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	32
PID 1972 wrote to memory of 1940	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	32
PID 1972 wrote to memory of 2872	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	33
PID 1972 wrote to memory of 2872	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	33
PID 1972 wrote to memory of 2872	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	33
PID 1972 wrote to memory of 2872	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	33
PID 1972 wrote to memory of 1184	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	34
PID 1972 wrote to memory of 1184	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	34
PID 1972 wrote to memory of 1184	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	34
PID 1972 wrote to memory of 1184	1972	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31f497d758bcf910787322198fd0ac60_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
f12002f49628dd989fe2789881347f04

SHA1
1f28843df21224f83508b5b55bc244c88955969b

SHA256
da8f75cd481652f7eb9b0c5832a789af89eeeb24e89b8709081d22acdfa00ebc

SHA512
2bff4fadf6948b5d46c157971d952edfdc47804dd97c2c96dd520e755851f19c1d7f5b7a3ce8af05fcc0110e190cc7fc97abe1a799d4688d853894bed09702bc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
3f8048b75e8ac3707d13d75c9b80ab25

SHA1
54a8efa9c2173dc241a8c478afcac412516e4010

SHA256
7451caa450582af4edef79446a31ff9738c5210cf321da2517fe1b017d715d05

SHA512
0aa08c3f793049fd74306e2bf85da909d6e7f7d460fb6c70ba020a49582398cac728a08605aa46738dd9d0a937a753bb613ef5dc74804e1ee285ae8ed2987f62

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
46a77f0cd1e598d82a167a08e3946035

SHA1
6f23d4ebddfd73da0804c8c494b25cf8c6460457

SHA256
26d626691011cb5b24c6dfc872e5fc1062fb114f5dcd069731798a5188929709

SHA512
210f85bf9f66fae37d74ce4df4da9e2a868adcaf7ff363e6e256d25a6cfd99eca35824fe0c9cf96d3badf41297b9ce71ba52fe52b0757d715d9486afe8d815a0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
31f497d758bcf910787322198fd0ac60

SHA1
2d9a1931147f584d4eee9e9ddcd0fa3afd62f6d6

SHA256
774600447c535d147930a089589ce19687970663f6c2f3137fa06b88c3bd7939

SHA512
f63fd01181efee50a0de4d828b1c64d68d7d4c97298e4def0906691e02be5d7591553f337280be15c2c54826763740b0d2228a8ac8bc5e46067b0184b05e23e3

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
0907401633c1a9ff7dbe13d3d4e29a20

SHA1
f0fe08f66de3e1babff8645474eb5e8030101fb7

SHA256
c799698aa83c61f4639b8553f6247e7a69db770765ff5b7f0300e977219654f0

SHA512
49602ca065b235d656d9dcc11a2d5844e5a3ed03eed0a4b8b664b5e60eccc27c13b8b4c530aa804c874576d901c5f3d8d5f667d18a6b6986eb1e5623d2c2e06f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
0ff2b917660410eb96a8a7522462a56d

SHA1
a958c6cb6f056750d79eb2dfd5decf54773653ba

SHA256
e1a17be6646f04cf8458dbfd7aec0af11f244135a5fdf05cc4e0235547f85bc9

SHA512
f405c993b9a82b69f5241b581ee1bcf6dcceb72e5889af3cee62d50b7fa69d809944e367bce203f07befb02195d5f82fe2e17a663767aef4852856af73dab810

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
3f60a026ec714496fedc47b054500536

SHA1
592d2f7e7a7529cab67b3ac5111877adb70e31a5

SHA256
f29f0c6a2cfeaab20ae680df388304af0ae62bbf6ba376d5559e02bb09996f92

SHA512
ed0a6a2bc245f5c25aa2dfd2be33cea03c0056ff47b0b982d47439ed87bf206b7573e67a58bf38cf8311609c5af899cc349d3f6ed78bc4db7845f50c88c926dc

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3bfeb240f3bfd0324a0c40af1bf06d40

SHA1
103a3530059e5f140cc697108a11bdfcfd65b7c7

SHA256
fe2acf6ae6d9bc9d3190b3cc5af72a0ed5bc0b8ad6af89dce308d8be79dc94ab

SHA512
8bac2df86ed14113a02df7fcfe858405cd5f8d8a646d9aea2071582e95a2c47f40748b3f4bacda7b0eabb6a17e6d04a2ebe03f0079d70bbba2abc8e7433d5990

Download Submit
memory/1184-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1184-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-160-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-122-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-135-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-147-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-133-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-148-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-109-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-108-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1972-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download