70b49b1a036904fd7f35bb935b4416cda1b7b2d4b0d994ccf87297e1213385c6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Size

91KB
MD5

516870e329a6b0c4f2cd840853e8b1d0
SHA1

3103fc962a3bfed9177bc8d6687c67bd59219473
SHA256

70b49b1a036904fd7f35bb935b4416cda1b7b2d4b0d994ccf87297e1213385c6
SHA512

3c1d2c7fb0729525714fd91cdf880db3d21d9cc154ffa0e3ee599f9d0e3b4ce5ce4cee8f576218ba4ce15a336a2c83d780d4a0febe9fd17a03be12382070487b
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTlRsjdf1aM67v32Z9x5nouy8VTU:EOaHv3YpoutNlOaHv3YpoutNU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2696	xk.exe
2676	IExplorer.exe
1556	WINLOGON.EXE
1628	CSRSS.EXE
1552	SERVICES.EXE
2656	LSASS.EXE
1448	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015cb0-8.dat	upx
behavioral1/files/0x0008000000016476-107.dat	upx
behavioral1/memory/2696-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016813-114.dat	upx
behavioral1/memory/2696-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2132-117-0x0000000002720000-0x000000000274F000-memory.dmp	upx
behavioral1/memory/2676-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c1d-128.dat	upx
behavioral1/memory/1556-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1556-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c3a-139.dat	upx
behavioral1/memory/1628-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1628-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c42-151.dat	upx
behavioral1/memory/1552-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c8c-162.dat	upx
behavioral1/memory/1552-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2132-166-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2132-170-0x0000000002720000-0x000000000274F000-memory.dmp	upx
behavioral1/memory/2656-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016cb2-175.dat	upx
behavioral1/memory/1448-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2132-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1448-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
2696	xk.exe
2676	IExplorer.exe
1556	WINLOGON.EXE
1628	CSRSS.EXE
1552	SERVICES.EXE
2656	LSASS.EXE
1448	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2696	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 2696	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 2696	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 2696	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 2676	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 2676	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 2676	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 2676	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 1556	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	30
PID 2132 wrote to memory of 1556	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	30
PID 2132 wrote to memory of 1556	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	30
PID 2132 wrote to memory of 1556	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	30
PID 2132 wrote to memory of 1628	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	31
PID 2132 wrote to memory of 1628	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	31
PID 2132 wrote to memory of 1628	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	31
PID 2132 wrote to memory of 1628	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	31
PID 2132 wrote to memory of 1552	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	32
PID 2132 wrote to memory of 1552	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	32
PID 2132 wrote to memory of 1552	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	32
PID 2132 wrote to memory of 1552	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	32
PID 2132 wrote to memory of 2656	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	33
PID 2132 wrote to memory of 2656	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	33
PID 2132 wrote to memory of 2656	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	33
PID 2132 wrote to memory of 2656	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	33
PID 2132 wrote to memory of 1448	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	34
PID 2132 wrote to memory of 1448	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	34
PID 2132 wrote to memory of 1448	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	34
PID 2132 wrote to memory of 1448	2132	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\516870e329a6b0c4f2cd840853e8b1d0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2132
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1556
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
516870e329a6b0c4f2cd840853e8b1d0

SHA1
3103fc962a3bfed9177bc8d6687c67bd59219473

SHA256
70b49b1a036904fd7f35bb935b4416cda1b7b2d4b0d994ccf87297e1213385c6

SHA512
3c1d2c7fb0729525714fd91cdf880db3d21d9cc154ffa0e3ee599f9d0e3b4ce5ce4cee8f576218ba4ce15a336a2c83d780d4a0febe9fd17a03be12382070487b

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
5f0ade4a5e553ae16ac9cefed05d7e06

SHA1
b7119daf318fc039e0e795e31cb769b23021eb10

SHA256
f16b327622158990892eabbb8d99e36ac96d0c55769eb85bac2ffa02bf5cf8be

SHA512
ea418aaa41d1cf49c11f36961367a24b39b0a9a8986a03aaee6ef957598f24000b02e69cf45d7018128b1b5d08d33ff39e0fdaaca4c9601c56820cce14d63c74

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
8da890df56040da9b54aed3c3a85af9a

SHA1
b353b4e890ab26100db76e6858a60d779840a0cc

SHA256
820647681ab61285f8c5299c0ab4e53bf51053537a4ddc164673f62a55451642

SHA512
1685f977ae832ce303fbf1dd4015b3fb9204ca34f09c55ca2fba79098c4a2e0abe73805ef9a68d6a6a49ae0585631b68302d0bfb0b97b139c5f4ff814df83718

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
5385fb059e574648a7ce8d6feb566a28

SHA1
a9d9e33550db97414ff566c59a3a87c3b47e11f8

SHA256
de062e75f9412d4aa13607dc8c09966e9274873ed650027588af4e6dfad25fbb

SHA512
6ebbdbe4867f1c4c3011f5c5bb35a9f001df54012a8b9dd767fbc9ef292786ca26d79b2a75d260b24332cd695b4176e262352ba1808de3d5cab4ae5dcdb983c2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
6efed40218dd8c57783e681777bfe84e

SHA1
7e4dc9c8f202de3fbbbe31e2585d01a9ec6dc068

SHA256
f459796df8d6878a1ac98dba4ee76da0252285bf8dfb3cfb5497f6c3a1f2b940

SHA512
3e60cd9a7e645f86b27a4d4449f8e1df2121cb99b456562c59a3d8a593c504e3fbead797b13c8ee98660cf6f507b9233885a87d5ef85646d1e8d5113f01d653f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
b2dc40a1826cb4b5f9631349404bc70d

SHA1
12ef0813f989608e54eed8ff4887992c8275a3a3

SHA256
b61c239011e0b29e36fbd90d9af85890ea7aea39700c01bcad05ee929ba038ce

SHA512
78b132ad69312ff7112b193be84d60055a3bf972714223a9cc8ae9f37f0852b652629b51335d1ff66d41a14b4c8696061d186780f5c4d0489a00f1a3881a590c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
59b400fa18dc9a370aa475fdb4521077

SHA1
2bea7166979a4f98f49ee1ee5de5c1b2263892e3

SHA256
db09c0192ecedb0c6b781f6b66a19fec2fb61338badb45eef7824c7994755e1f

SHA512
88cfdd6fdb828c260dae838d91dfadbfe0c099fb52e66219396017323118f0b8e0836534230b6048060859722f4bc00d85abe2aae0c33349b3e4654e369854a8

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
1b328d484531c1ca5b5ea8fa824adb1a

SHA1
fb59a6eb27e03b3dd9ed0e0c9c5ebd09ac529a01

SHA256
4aae0d0f73199b6c8de1d030d9b96ff44669574c64650f33e01c9fb4c26daba1

SHA512
ab5590117bcf1d4042fc5f1815db9d627016fa689db413673662a4609c41c45b88994930c7f2c433133da117b33924c5a9943b8b840ac05827285f18ba5e4f73

Download Submit
memory/1448-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-146-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-117-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-124-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-170-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-109-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-110-0x0000000002720000-0x000000000274F000-memory.dmp

Filesize
188KB

Download
memory/2132-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download