Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 21:05
Behavioral task
behavioral1
Sample
3b740935520147afea5b306d569097b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3b740935520147afea5b306d569097b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
3b740935520147afea5b306d569097b0_NeikiAnalytics.exe
-
Size
34KB
-
MD5
3b740935520147afea5b306d569097b0
-
SHA1
342a270999b4bd8424a2841edf8d6d7b53f862a8
-
SHA256
933b5acb7c2ccb1ebdb4612e907a2627757844178d1077b7a0c404eac1051ae2
-
SHA512
49e052880c28539e8357f10bc188e43fd818a9a5c24114e872696a53a7186785f1629201c1778ddd1324846844011db5a117c5af1f9d83ddbab05624c57bb0af
-
SSDEEP
768:UEzNbLcQ9qQuVriDMuyuruTD0qB77777J77c77c77c7nOTysMljy:l3h9qQA6hZunrB77777J77c77c77c7O7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\ýüþüüü¼½ü.exe\"" 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components\{C5685A04-18AD-0383-2503-5A04250318AD} 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components\{C5685A04-18AD-0383-2503-5A04250318AD}\Direktori = "d[}xŠ\u008f…\u0090˜”}”š”•†ŽTS}‘“Š\u008f•†“OœSSSXbSYQNTbfbNRQWZNbSefNQYQQScTQTQZež" 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components\{C5685A04-18AD-0383-2503-5A04250318AD}\last-check = "ýüþüüü¼½ü.exe" 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components\{C5685A04-18AD-0383-2503-5A04250318AD}\last-check7 = "ø÷ù÷÷÷·¸÷\u0090„•\u0090.exe" 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe -
Executes dropped EXE 22 IoCs
Processes:
ø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exepid process 2900 ø÷ù÷÷÷·¸÷„•.exe 2716 ýüþüüü¼½ü.exe 2660 ýüþüüü¼½ü.exe 2912 ø÷ù÷÷÷·¸÷„•.exe 2524 ýüþüüü¼½ü.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 2888 ýüþüüü¼½ü.exe 2616 ø÷ù÷÷÷·¸÷„•.exe 1688 ýüþüüü¼½ü.exe 320 ø÷ù÷÷÷·¸÷„•.exe 984 ýüþüüü¼½ü.exe 2312 ýüþüüü¼½ü.exe 1936 ø÷ù÷÷÷·¸÷„•.exe 772 ýüþüüü¼½ü.exe 972 ýüþüüü¼½ü.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2240 ýüþüüü¼½ü.exe 2672 ýüþüüü¼½ü.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 2608 ýüþüüü¼½ü.exe 3020 ø÷ù÷÷÷·¸÷„•.exe 2840 ýüþüüü¼½ü.exe -
Loads dropped DLL 53 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exepid process 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe 2900 ø÷ù÷÷÷·¸÷„•.exe 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe 2900 ø÷ù÷÷÷·¸÷„•.exe 2716 ýüþüüü¼½ü.exe 2716 ýüþüüü¼½ü.exe 2912 ø÷ù÷÷÷·¸÷„•.exe 2912 ø÷ù÷÷÷·¸÷„•.exe 2912 ø÷ù÷÷÷·¸÷„•.exe 2524 ýüþüüü¼½ü.exe 2524 ýüþüüü¼½ü.exe 2524 ýüþüüü¼½ü.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 2888 ýüþüüü¼½ü.exe 2888 ýüþüüü¼½ü.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 2888 ýüþüüü¼½ü.exe 2888 ýüþüüü¼½ü.exe 2888 ýüþüüü¼½ü.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 2312 ýüþüüü¼½ü.exe 2312 ýüþüüü¼½ü.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 320 ø÷ù÷÷÷·¸÷„•.exe 2312 ýüþüüü¼½ü.exe 2312 ýüþüüü¼½ü.exe 2312 ýüþüüü¼½ü.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2672 ýüþüüü¼½ü.exe 2672 ýüþüüü¼½ü.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 2672 ýüþüüü¼½ü.exe 2672 ýüþüüü¼½ü.exe 2672 ýüþüüü¼½ü.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 1964 ø÷ù÷÷÷·¸÷„•.exe -
Processes:
resource yara_rule behavioral1/memory/2436-0-0x0000000000400000-0x0000000000422000-memory.dmp upx C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe upx behavioral1/memory/2900-16-0x0000000000400000-0x0000000000422000-memory.dmp upx \Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe upx behavioral1/memory/2660-29-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2716-28-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2900-41-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2660-43-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2436-45-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2716-49-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2912-60-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2524-76-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2616-85-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2616-87-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3028-114-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3028-118-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2888-115-0x0000000003E80000-0x0000000003E8B000-memory.dmp upx behavioral1/memory/1688-111-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2888-120-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/984-132-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2888-134-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/320-139-0x0000000003D20000-0x0000000003D42000-memory.dmp upx behavioral1/memory/320-158-0x0000000003D20000-0x0000000003D2A000-memory.dmp upx behavioral1/memory/1936-168-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/320-180-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/972-178-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2456-206-0x00000000024C0000-0x00000000024E2000-memory.dmp upx behavioral1/memory/2240-217-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2456-223-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2672-225-0x0000000000530000-0x0000000000552000-memory.dmp upx behavioral1/memory/2608-241-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2608-243-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2672-267-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/3020-265-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral1/memory/2840-276-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ø÷ù÷÷÷·¸÷„•.exe = "C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\ø÷ù÷÷÷·¸÷\u0090„•\u0090.exe" 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe -
Drops file in System32 directory 5 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-sent 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D} 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-buffers 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 2576 WINWORD.EXE 1564 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeWINWORD.EXEýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeWINWORD.EXEø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeWINWORD.EXEýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exepid process 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe 2900 ø÷ù÷÷÷·¸÷„•.exe 2716 ýüþüüü¼½ü.exe 2660 ýüþüüü¼½ü.exe 2912 ø÷ù÷÷÷·¸÷„•.exe 2524 ýüþüüü¼½ü.exe 3028 ø÷ù÷÷÷·¸÷„•.exe 2576 WINWORD.EXE 2576 WINWORD.EXE 2888 ýüþüüü¼½ü.exe 2616 ø÷ù÷÷÷·¸÷„•.exe 1688 ýüþüüü¼½ü.exe 1564 WINWORD.EXE 320 ø÷ù÷÷÷·¸÷„•.exe 1564 WINWORD.EXE 984 ýüþüüü¼½ü.exe 2252 WINWORD.EXE 2252 WINWORD.EXE 2312 ýüþüüü¼½ü.exe 772 ýüþüüü¼½ü.exe 1936 ø÷ù÷÷÷·¸÷„•.exe 972 ýüþüüü¼½ü.exe 2456 ø÷ù÷÷÷·¸÷„•.exe 2240 ýüþüüü¼½ü.exe 2672 ýüþüüü¼½ü.exe 1964 ø÷ù÷÷÷·¸÷„•.exe 2608 ýüþüüü¼½ü.exe 3020 ø÷ù÷÷÷·¸÷„•.exe 2840 ýüþüüü¼½ü.exe 2252 WINWORD.EXE 2252 WINWORD.EXE 2252 WINWORD.EXE 2252 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3b740935520147afea5b306d569097b0_NeikiAnalytics.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exeýüþüüü¼½ü.exeø÷ù÷÷÷·¸÷„•.exedescription pid process target process PID 2436 wrote to memory of 2900 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ø÷ù÷÷÷·¸÷„•.exe PID 2436 wrote to memory of 2900 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ø÷ù÷÷÷·¸÷„•.exe PID 2436 wrote to memory of 2900 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ø÷ù÷÷÷·¸÷„•.exe PID 2436 wrote to memory of 2900 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ø÷ù÷÷÷·¸÷„•.exe PID 2436 wrote to memory of 2660 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ýüþüüü¼½ü.exe PID 2436 wrote to memory of 2660 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ýüþüüü¼½ü.exe PID 2436 wrote to memory of 2660 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ýüþüüü¼½ü.exe PID 2436 wrote to memory of 2660 2436 3b740935520147afea5b306d569097b0_NeikiAnalytics.exe ýüþüüü¼½ü.exe PID 2900 wrote to memory of 2716 2900 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2900 wrote to memory of 2716 2900 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2900 wrote to memory of 2716 2900 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2900 wrote to memory of 2716 2900 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2716 wrote to memory of 2912 2716 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2716 wrote to memory of 2912 2716 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2716 wrote to memory of 2912 2716 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2716 wrote to memory of 2912 2716 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2912 wrote to memory of 2576 2912 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 2912 wrote to memory of 2576 2912 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 2912 wrote to memory of 2576 2912 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 2912 wrote to memory of 2576 2912 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 2912 wrote to memory of 2524 2912 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2912 wrote to memory of 2524 2912 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2912 wrote to memory of 2524 2912 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2912 wrote to memory of 2524 2912 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2524 wrote to memory of 3016 2524 ýüþüüü¼½ü.exe WINWORD.EXE PID 2524 wrote to memory of 3016 2524 ýüþüüü¼½ü.exe WINWORD.EXE PID 2524 wrote to memory of 3016 2524 ýüþüüü¼½ü.exe WINWORD.EXE PID 2524 wrote to memory of 3016 2524 ýüþüüü¼½ü.exe WINWORD.EXE PID 2524 wrote to memory of 3028 2524 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2524 wrote to memory of 3028 2524 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2524 wrote to memory of 3028 2524 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2524 wrote to memory of 3028 2524 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 3028 wrote to memory of 2888 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 2888 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 2888 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 2888 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2888 wrote to memory of 2616 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 2616 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 2616 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 2616 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 3028 wrote to memory of 1564 3028 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 3028 wrote to memory of 1564 3028 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 3028 wrote to memory of 1564 3028 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 3028 wrote to memory of 1564 3028 ø÷ù÷÷÷·¸÷„•.exe WINWORD.EXE PID 3028 wrote to memory of 1688 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 1688 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 1688 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 3028 wrote to memory of 1688 3028 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 2888 wrote to memory of 2252 2888 ýüþüüü¼½ü.exe WINWORD.EXE PID 2888 wrote to memory of 2252 2888 ýüþüüü¼½ü.exe WINWORD.EXE PID 2888 wrote to memory of 2252 2888 ýüþüüü¼½ü.exe WINWORD.EXE PID 2888 wrote to memory of 2252 2888 ýüþüüü¼½ü.exe WINWORD.EXE PID 2888 wrote to memory of 320 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 320 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 320 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 2888 wrote to memory of 320 2888 ýüþüüü¼½ü.exe ø÷ù÷÷÷·¸÷„•.exe PID 320 wrote to memory of 984 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 984 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 984 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 984 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 2312 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 2312 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 2312 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe PID 320 wrote to memory of 2312 320 ø÷ù÷÷÷·¸÷„•.exe ýüþüüü¼½ü.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b740935520147afea5b306d569097b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b740935520147afea5b306d569097b0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"5⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2576 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122886⤵PID:1348
-
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"6⤵PID:3016
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"8⤵
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:984
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2312 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"10⤵PID:2804
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"11⤵PID:2924
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"13⤵PID:2868
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"12⤵PID:2656
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ø÷ù÷÷÷·¸÷„•.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ø÷ù÷÷÷·¸÷„•.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"9⤵PID:2020
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc"7⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\ýüþüüü¼½ü.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
-
-
-
-
-
C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exeC:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\ýüþüüü¼½ü.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5a7211f0fec58c1b4b79b277eb89c3931
SHA14143e4b8b9bfcbe875057c17764fd3b182c46f47
SHA25620b468bdbdf66f316861fa8d727bc06f82dcae6f90134006e23e7eb9fb192eff
SHA512c4f6d262a8bc2c3efb6d1a85e47165e68528845088665553600f99f1677983d29689227c8e33b5fe8dd8fd19b95ad8ab839a009a78fd8a0fd3f7040711ce2cfd
-
Filesize
86B
MD5fa01d48c17df8c4fdbef94a4b7626fe5
SHA135b6f9d93733e001c3551e39f4b2d42b74ca821c
SHA256b6d1b5a5d233ad45de11fc2c30b90db0c23a2b6e5c8e6130c0bcb99f1f05d809
SHA512ec984141995dab05eb8063978b4da3796c8c34a6fc188dfc5334b0976c17576a5196addacfb45122b63814c3a0eb0979908e12f0f7565d43da1e0d1a8819bdc9
-
Filesize
118B
MD50ed6a5342f66ef9a77280dee66426aaf
SHA1abe61b4bba48c9b3c39baa8086adf15b02c0cf37
SHA256d9527e8faa752f0782eb4f75eba897efd62e3d9da06047e3680325c78b51646e
SHA512094a62844bc55178a46b863ddff109f9f639d070b1a0004a9d9f85ae2c5553e04844711ed384be07637a275827b4c8f46f406b50935d114807302d3d22f9e7a4
-
Filesize
118B
MD5ea3ec5ca9ad16844b09fc64bbe76eaf9
SHA1b1e6e3bcc7e27b7ec0788309fc4497142035124c
SHA256e383573000f20418a6af9b3a45607103d18127b90b55a31c468352a09f57f0a4
SHA512e0761743a1280e9ceb5e812034cbe3e6b15b69ddab6bcec891f5eebf82ca9f0842dfd8f2f600a7a9172e319497df42a60b23f490d979c3d51f0e092d26895500
-
Filesize
154B
MD589c9439b0c052c62b76105482f3cfcdf
SHA1135f498be47c34188c0754365614c01e9a5cbc57
SHA2566a9136770ad32e5ec6159ffb6b862343e33d1974e9eb73446ac0e9058d8f9f63
SHA51227d0e9a993b5ced55eb1ef7d9a0be0c0652b0a19cb5ce4c7596e1d3e43a098a1d6966410fb6c6e91627e532b7d2a4b4e4ddf84af6019e5a3ee511c406ba167b6
-
Filesize
1KB
MD584bb10a4ba72214240134b9ad402d9fc
SHA136f87d757bee50f5f05a27c47dabfaaea862756f
SHA2562c218b1a50e8512012f86d4cb79525e87f27b4abda1cd05f78ff95dc9884265b
SHA5122297395e0a7065e229313f7f15be6926e67cf0c4792d184cc802f62d1712e8b1d841c319d362c696edcc0e10c82dde2f36386a4f250e3d9f0885914f67c90bb8
-
Filesize
20KB
MD54e7c6abb195a178a48a09528323be684
SHA1247a144f34c03944f18829cd2c2915fd94c0b430
SHA256637c0031dfd19f427292b433cae93821d6b96c5eedaeadf46d501ffc663fa408
SHA5122c0ec9808c307cc0498822ab3efcc680f77b272085e176de64ac776096c18ae73d103a05d2c10985a5765289de81b4569a5cef3c22f74d570239af416bbcd822
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
6KB
MD5730ce61abbb36e76c9e06a2b7e5212a7
SHA17436058ca37a58f15d1665796223e2e4aecaca1c
SHA256805b903c4557f4abea0640d516b28612d0f61ff4069eeb2bc7799ff9580008fb
SHA512c3d63bbd7c8b259ea904648942c729e2812e4127c6d680b4d515d20dfb3740f0e111ecb8db7815b51c454814d34cfb006784ee89e567681af23e98acacb12c04
-
Filesize
162B
MD59fe9314b6033d42f111e12ec68d5b87a
SHA1bb5d7ec3f212e85b221fcca19ddc698708985844
SHA2566ae708725fdf711fa20249119e6009c5c488970b86741ff060e11c93ff44e441
SHA512796f1e54c20e133501a089f7faa560ff1d2bcfeaba4d0da0d2316e91bc7bb19a9b232920b4a7cdadf2827ce0e207ac1bc624ae3d55b7a841bd6bd3e444d6a334
-
Filesize
36KB
MD51e74a1afcd2b4fc81212ec3158993bde
SHA17beb1e1c45b7a5fcb0032a5f4ca9c0d1428c9bfc
SHA256109fbba7ff8da7cabbfa165e639291c1bdad25eb882ae837a0fdb32c58fecb88
SHA51223cdaedd73d26236b5a6b6b77035446be09e5d5b757761445c0ad104e7d661a094f498434984464e98986f1204ee5d9eddba1c3ab775699cd38f5798ec29925a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
43KB
MD5a330ad5cb5145462aece9dca8a501773
SHA15746ec14e5fa6ac517b82b347518b698a02354de
SHA25638f5a029c0472fab24894b575fe2628931a18773636f025a28d482e25127b1f6
SHA5127d36ceb2d167fbf15b0250532bc4b286c5465bc472504340e876d078148fee87d8b69d07afadbeedf5a35420d9a137013c80ce843ff9efbb6db65fd913dc6b26