53d8a05a40a3f6d222b20fd554572c504bd4bdd5bd3b9395522087137a44cc84

General

Target

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
Size

44KB
MD5

5f024393b6674d1b8b40739671349520
SHA1

eebd87e5db9539e2eb7f30d725347493b0e0499b
SHA256

53d8a05a40a3f6d222b20fd554572c504bd4bdd5bd3b9395522087137a44cc84
SHA512

6222298551aed36887209698c9152f44d90ba330c8d8bd8a2e596d281c8cad9ff48cf8054902152e90642c5f33c940d3856da684b54d6ae724cab03b561f53cd
SSDEEP

384:CxL+q5r+PpHfXhUkKvI4QwjQ/vFJhheJ06oZrj/vBKDJZJ/:ua4r+PpHfXGLOnNh8noR+f/

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

Processes:

AE 0124 BE.exewinlogon.exewinlogon.exe5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exeAE 0124 BE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

4356 winlogon.exe
4272 AE 0124 BE.exe
2400 winlogon.exe
2412 winlogon.exe
Loads dropped DLL 3 IoCs

Processes:

AE 0124 BE.exewinlogon.exewinlogon.exe

pid process

4272 AE 0124 BE.exe
2400 winlogon.exe
2412 winlogon.exe

pid	process
4356	winlogon.exe
4272	AE 0124 BE.exe
2400	winlogon.exe
2412	winlogon.exe

pid	process
4272	AE 0124 BE.exe
2400	winlogon.exe
2412	winlogon.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2660-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
C:\Windows\SysWOW64\drivers\winlogon.exe	upx
behavioral2/memory/4356-47-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4272-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2660-64-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2400-78-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2412-82-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4356-441-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4272-442-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4272-447-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops desktop.ini file(s) 57 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

winlogon.exeAE 0124 BE.exe

description	ioc	process
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\de-DE\MSFT_RegistryResource.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_18_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\taskschd.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\btampm.inf_amd64_445ffdc4132cbc59\btampm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_46a3b42507e9d29e\VSTDPV6.SYS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpidd.inf_amd64_ce12c614d182f4f9\rdpidd.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\FolderRedirectionWMIProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\keyiso.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_bfabc750039f8ac1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\mofcomp.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\PrintManagementProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\P2P.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\intelpep.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WindowsIoT-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsactivitymonitor.inf_amd64_cccd1b2cb61d2440	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_BLP.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WmiPerfInst.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\PrintManagementProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_3ca4b12cda56232e\mdmsmart.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\NcdProp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-LegacyWmdmFeature-Feature-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\hidinterrupt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\uk-UA\iscsiwmiv2_uninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\fdc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Windows.ApplicationModel.Store.TestingFramework.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\CertPKICmdlet.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-MF-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\xboxgip.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_sdhost.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectPlay-OC-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\srmtrace.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-CA\windows.ui.xaml.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\lpeula.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~fr-FR~11.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSITargetPortal.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-VirtualizationBasedSecurity-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Opt-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcAdvancedHostSettingTask_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\EapTeapExt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc100chs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_10_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\MaskingSet.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..yprotocol.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fe1a08563e3eefdb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-r..y-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cb819d44d559ffe1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-e..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_8167bb272160f20c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-c..fications.resources_31bf3856ad364e35_10.0.19041.1_en-us_12a7c2e8e0510fc2.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..ebviewhost.appxmain_31bf3856ad364e35_10.0.19041.746_none_e873f3aa792d8bb3\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-netfxsbs10_exe_31bf3856ad364e35_10.0.19041.1_none_9561617494f4801d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_2813fc34fe2d09ea\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c1f1988d1bfdf64e\umount.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..l-keyboard-00000402_31bf3856ad364e35_10.0.19041.1_none_9da4b8fd034c448c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..oth-avctp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_290e7986b0b6564c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_fr-ca_fc3dc08d610603c5\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_ime_de-de_0d348050e4597176.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..direct3dshadercache_31bf3856ad364e35_10.0.19041.746_none_d4b2f4b3966cfe2d\D3DSCache.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.19041.546_none_8b678fb390086be3\r\powrprof.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PhotoBasic-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_circlass.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ee87c6e27c63e82.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_c_extension.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0306260c2b31c2ab.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_40d879163987eb7c\Microsoft.Data.Entity.Build.Tasks.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_he-il_47e71de5429c9e8d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wvmic_shutdown.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1d1acd038bb68524\wvmic_shutdown.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mfaudiocnv_31bf3856ad364e35_10.0.19041.1_none_bf760f1814aa5cb9.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6763743b455f7c49\sqloledb.rll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\It.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_10.0.19041.1_none_34377a6d16948538\IIsScHlp.wsc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..english-autocorrect_31bf3856ad364e35_10.0.19041.1_none_9360429648adc720	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..anifests-onecorenet_31bf3856ad364e35_10.0.19041.1_none_950c9e1a547ffc7d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx-aspnet_webmedtrust_cfg_dflt_b03f5f7f11d50a3a_10.0.19041.1_none_ea262f8c6cd37857\web_mediumtrust.config.default	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hal.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_4a8ade065e177eea	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_10.0.19041.1_en-us_ebb946d373531139\pcaui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..mcore-dll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3033be76bc329cb6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_ru-ru_77933e3a0aa617e5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..umaninterfacedevice_31bf3856ad364e35_10.0.19041.264_none_fe527beb04a59678\r\Windows.Devices.HumanInterfaceDevice.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-homegroup_31bf3856ad364e35_10.0.19041.1_none_739270c973233b61\hgprint.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-scripting-chakra_31bf3856ad364e35_11.0.19041.1023_none_8642e441ed71095a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..mecontrol.resources_31bf3856ad364e35_10.0.19041.1_en-us_932905843ffc67bc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_9d61200c734f61dd\LockApp.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_es-es_d8bce9fa09d9ea7d\WindowsAnytimeUpgrade.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..stencemigration-net_31bf3856ad364e35_10.0.19041.746_none_89aa0cabfa869245.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..s-merged-deployment_31bf3856ad364e35_10.0.19041.1_none_3d12b0581f2d661b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.1266_none_eb6597ac99d11603\r\AudioEndpointBuilder.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ncrypt.resources_31bf3856ad364e35_10.0.19041.1_es-es_7fb66ae6f5fcd9d1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_cb50bed74a9a570a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.powershell.isecommon.resources_31bf3856ad364e35_10.0.19041.1_en-us_b239fe061fa0b521	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0216~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.packagemanagement.resources_31bf3856ad364e35_10.0.19041.1_it-it_eb7c55d358e44f89\Microsoft.PackageManagement.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_rc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..injoinaug.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c696ef83c49a4c5\CloudDomainJoinAUG.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_idtsec.inf_31bf3856ad364e35_10.0.19041.1_none_a8eb0005cb73cadd\idtsec.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-h..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_8571884f904a1870.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Helium-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ementwmi-powershell_31bf3856ad364e35_10.0.19041.1_none_9f3afd53271192d6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_1b3974c0b785188f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d\f\Power.Settings.Processor.ppkg	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-mfmp4srcsnk_31bf3856ad364e35_10.0.19041.1202_none_85c4ce3b97ac7c60.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..frastructure-client_31bf3856ad364e35_10.0.19041.1_none_0c5043de76a7d97e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wab-core_31bf3856ad364e35_10.0.19041.1_none_0b147af8e926aa6b\wab32res.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.1_none_b977d9566df127e9\wmpnss_color48.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_system32_dism_it-it_05bf00606e4cbad6.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_ee629c44d6e47742.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\60a4678f8f2edc46bcfe73aa70c5a7cf09b7111dacdc1ce08cca1fcbaf511c73.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..ility-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_aa053a531ba50121\Reliability.adml	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

winlogon.exeAE 0124 BE.exe5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

NTFS ADS 1 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\AE 0124 BE.C:\WINDOWS\Installer\SourceHash{90120000-00BA-0409-0000-0000000FF1CE}	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

2660 5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
4356 winlogon.exe
4272 AE 0124 BE.exe
2400 winlogon.exe
2412 winlogon.exe

pid	process
2660	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
4356	winlogon.exe
4272	AE 0124 BE.exe
2400	winlogon.exe
2412	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5f024393b6674d1b8b40739671349520_NeikiAnalytics.exewinlogon.exeAE 0124 BE.exe

description	pid	process	target process
PID 2660 wrote to memory of 4356	2660	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2660 wrote to memory of 4356	2660	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 2660 wrote to memory of 4356	2660	5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe	winlogon.exe
PID 4356 wrote to memory of 4272	4356	winlogon.exe	AE 0124 BE.exe
PID 4356 wrote to memory of 4272	4356	winlogon.exe	AE 0124 BE.exe
PID 4356 wrote to memory of 4272	4356	winlogon.exe	AE 0124 BE.exe
PID 4356 wrote to memory of 2400	4356	winlogon.exe	winlogon.exe
PID 4356 wrote to memory of 2400	4356	winlogon.exe	winlogon.exe
PID 4356 wrote to memory of 2400	4356	winlogon.exe	winlogon.exe
PID 4272 wrote to memory of 2412	4272	AE 0124 BE.exe	winlogon.exe
PID 4272 wrote to memory of 2412	4272	AE 0124 BE.exe	winlogon.exe
PID 4272 wrote to memory of 2412	4272	AE 0124 BE.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5f024393b6674d1b8b40739671349520_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
0b8494ec0c080a03beb6bedef717bb8b

SHA1
39e69ef06bb12342d77b4a321f7003f0961d17db

SHA256
e9a41e2f6dd07661f4db2fb56b8af9a50f6cf733d0372b4a4a67b5cd2363ecac

SHA512
730f43a5220393332bb58e2e06bce8b06b4a96595b0751467ceebe3c838c36f061116892dbf6d5f9a55264e9826d5674d2e542b2c59262a93254bdbba39edc3f

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/2400-78-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2412-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2660-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2660-64-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4272-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4272-442-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4272-447-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4356-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4356-441-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads