53d8a05a40a3f6d222b20fd554572c504bd4bdd5bd3b9395522087137a44cc84

General

Target

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
Size

44KB
MD5

5f024393b6674d1b8b40739671349520
SHA1

eebd87e5db9539e2eb7f30d725347493b0e0499b
SHA256

53d8a05a40a3f6d222b20fd554572c504bd4bdd5bd3b9395522087137a44cc84
SHA512

6222298551aed36887209698c9152f44d90ba330c8d8bd8a2e596d281c8cad9ff48cf8054902152e90642c5f33c940d3856da684b54d6ae724cab03b561f53cd
SSDEEP

384:CxL+q5r+PpHfXhUkKvI4QwjQ/vFJhheJ06oZrj/vBKDJZJ/:ua4r+PpHfXGLOnNh8noR+f/

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

Processes:

AE 0124 BE.exe5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

2464 winlogon.exe
2516 AE 0124 BE.exe
2468 winlogon.exe
2476 winlogon.exe

pid	process
2464	winlogon.exe
2516	AE 0124 BE.exe
2468	winlogon.exe
2476	winlogon.exe

Loads dropped DLL 8 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exewinlogon.exeAE 0124 BE.exewinlogon.exe

pid	process
2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
2464	winlogon.exe
2464	winlogon.exe
2468	winlogon.exe
2516	AE 0124 BE.exe
2516	AE 0124 BE.exe
2476	winlogon.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
\Windows\SysWOW64\drivers\winlogon.exe	upx
behavioral1/memory/2980-33-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2476-67-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2468-70-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2464-86-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2516-89-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops desktop.ini file(s) 57 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

winlogon.exeAE 0124 BE.exe

description	ioc	process
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\en-US\ndptsp.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\extrac32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO2600T.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpk5400t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR80006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\Amd64\OK3020_1.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\softkbd.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOP9B.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tr-TR\msimsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msieftp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\brmfcsto.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\themecpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mstape.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0333.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mciavi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\RmClient.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ClientNetworkProtocolImplementation-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBJOP8S.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS4000B.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\Amd64\OKMLHUVJ.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dot3dlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\user32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NM4R0.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msdri.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\htui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mmc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\w32tm.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmhzel.inf_amd64_neutral_1292ec506cfc26db	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\CoreOS-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_949.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnok002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\odbcconf.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasic\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sppui\reg.isp	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\listsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\wpdcomp.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Encoder-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wialx005.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DHCPQEC.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\usbui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA9.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\RacWmiProv.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netrtl64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tapi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\icardres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\sort.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\kbd106n.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\oledlg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_neutral_7bb325bca8ea1218\USBAUDIO.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ncpa.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\avmx64c.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tpmcompc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Basic-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00b.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\778cdd008b007e2abc066f000cb5b1db\PresentationFramework.Royale.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-jscript9.resources_31bf3856ad364e35_11.2.9600.16428_en-us_c41240c98d1ec221	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..filercore.resources_31bf3856ad364e35_8.0.7600.16385_de-de_d5281916dda3d738	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_adpu320.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a10fd3e6b22fc1e\adpu320.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\BOD_I.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\setupapi.ev2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.security...gement.policyengine_31bf3856ad364e35_6.1.7600.16385_none_8929f9240896e8ce	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_f1cf132b7c4c76fb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_af53cd57f1549d2e\audiodg.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_133fb0c3ac690111\iis6.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\dac48ed7852587d900eb9e2eb8fdf32b\System.Windows.Controls.Ribbon.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Shell-CommandPrompt-RegEditTools.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..anagement.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2260fdcdf22a8d26\dmutil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_00cd30feee4af5e8\adsutil.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_for_KB976902~31bf3856ad364e35~amd64~~6.1.1.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_dca74e3a5695da99	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_be15b69b9cabfbb8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_srpuxsnapin.resources_31bf3856ad364e35_6.1.7601.17514_es-es_fb020434b89d1724	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-adminmmc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5081821862f9dc0a\nfsmgmt.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions_cmdletbindingattribute.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\simsunb.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netloop.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_98c66c2e979a9fc0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.sua_lh.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3b1d6c3fb6700623	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_en-us_0eff2b2a9667228d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.1.7600.16385_none_c8fe054cd27b28e2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_22aa7c45cb978881\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\es-ES\l3082.smp	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-credssp-adm_31bf3856ad364e35_6.1.7600.16385_none_34d919c97529dfe0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-sysprep_31bf3856ad364e35_8.0.7600.16385_none_924152af4aaf8557	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00001809_31bf3856ad364e35_6.1.7600.16385_none_46bc809e7ba565b6\KBDIR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehdrop_31bf3856ad364e35_6.1.7601.17514_none_8f85c25e7f7050ee	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..tance-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb744cc52d89bfbc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-shell-previewhost_31bf3856ad364e35_6.1.7601.17514_none_4544cf0e5f20beea	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-migrate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0448fd145bf6c9a7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_75101ae5dca834f0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netb57va.inf_31bf3856ad364e35_6.1.7600.16385_none_581eb8ede4375d14	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d63ded3632fdfecd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..t-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fb38fd97caf390f0\eapsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\eventviewer.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-medexptv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6e68945ee5b198b2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-hotstart-adm_31bf3856ad364e35_6.1.7600.16385_none_8668a37605eed793	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_907903f56635f91d\mscorlib.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services\640959f71866e761622d3126105a2c35\System.Web.Services.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_dd050cebcad7bb4b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fdd12afe0656af56	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_21263990f3166138\icardie.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmsun2.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_38f0915dd93268bf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icm-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9852adb1bb888083\colorui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-openrpc_31bf3856ad364e35_6.1.7601.17514_none_41dffdd861a7e9de\rpcxdr.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16acf0d6b498ea23\RS_ResetDisplayIdleTimeout.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_remote_jobs.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mshidkmdf_31bf3856ad364e35_6.1.7600.16385_none_9c7136038ad9b094	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ity-netlogon-netapi_31bf3856ad364e35_6.1.7601.17514_none_315bf04f6c9976a2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..ponents-mdac-msdatl_31bf3856ad364e35_6.1.7600.16385_none_e5eb668f6cf3ca2d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\prnport.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_macrovision-protection-safedisc_31bf3856ad364e35_6.1.7600.16385_none_b9a1c8f4d6f69273	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ontrolsnotification_31bf3856ad364e35_6.1.7600.16385_none_43dbbc089ccc3461	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wusa.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebe722637ae4df	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\AE 0124 BE.C:\WINDOWS\Installer\SourceHash{90120000-00BA-0409-0000-0000000FF1CE}	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

2980 5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
2464 winlogon.exe
2516 AE 0124 BE.exe
2476 winlogon.exe
2468 winlogon.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exeAE 0124 BE.exe

description	pid	process	target process
PID 2980 wrote to memory of 2464	2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2980 wrote to memory of 2464	2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2980 wrote to memory of 2464	2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2980 wrote to memory of 2464	2980	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2464 wrote to memory of 2516	2464	winlogon.exe	AE 0124 BE.exe
PID 2464 wrote to memory of 2516	2464	winlogon.exe	AE 0124 BE.exe
PID 2464 wrote to memory of 2516	2464	winlogon.exe	AE 0124 BE.exe
PID 2464 wrote to memory of 2516	2464	winlogon.exe	AE 0124 BE.exe
PID 2464 wrote to memory of 2468	2464	winlogon.exe	winlogon.exe
PID 2464 wrote to memory of 2468	2464	winlogon.exe	winlogon.exe
PID 2464 wrote to memory of 2468	2464	winlogon.exe	winlogon.exe
PID 2464 wrote to memory of 2468	2464	winlogon.exe	winlogon.exe
PID 2516 wrote to memory of 2476	2516	AE 0124 BE.exe	winlogon.exe
PID 2516 wrote to memory of 2476	2516	AE 0124 BE.exe	winlogon.exe
PID 2516 wrote to memory of 2476	2516	AE 0124 BE.exe	winlogon.exe
PID 2516 wrote to memory of 2476	2516	AE 0124 BE.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
0b8494ec0c080a03beb6bedef717bb8b

SHA1
39e69ef06bb12342d77b4a321f7003f0961d17db

SHA256
e9a41e2f6dd07661f4db2fb56b8af9a50f6cf733d0372b4a4a67b5cd2363ecac

SHA512
730f43a5220393332bb58e2e06bce8b06b4a96595b0751467ceebe3c838c36f061116892dbf6d5f9a55264e9826d5674d2e542b2c59262a93254bdbba39edc3f

Download Submit
memory/2464-86-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2464-88-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2464-42-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2464-41-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2464-87-0x0000000000630000-0x000000000063B000-memory.dmp

Filesize
44KB

Download
memory/2464-54-0x0000000002FE0000-0x0000000002FEB000-memory.dmp

Filesize
44KB

Download
memory/2464-53-0x0000000002FE0000-0x0000000002FEB000-memory.dmp

Filesize
44KB

Download
memory/2468-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2476-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2516-89-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2516-68-0x0000000003090000-0x000000000309B000-memory.dmp

Filesize
44KB

Download
memory/2516-85-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2516-177-0x0000000003090000-0x000000000309B000-memory.dmp

Filesize
44KB

Download
memory/2516-358-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2980-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2980-21-0x0000000003300000-0x000000000330B000-memory.dmp

Filesize
44KB

Download
memory/2980-22-0x0000000003300000-0x000000000330B000-memory.dmp

Filesize
44KB

Download
memory/2980-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads