ea6d561bd7a5a90d2392a3d524aa8d8716e98a8a1ad9564aa6d332eebfefaa27

General

Target

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
Size

89KB
MD5

5ecc1c01366849de489bfe3c7a649df0
SHA1

f585b60bbe78b7cad4e43f4a2a7b008011a836ab
SHA256

ea6d561bd7a5a90d2392a3d524aa8d8716e98a8a1ad9564aa6d332eebfefaa27
SHA512

6910cb4da4a616faaae1131d4fdf96f251a1118c27941ff4edd5a47ecf4a3fab24dd9a0538422dd46ec0cc3a4d0e67820837ace5a8acc07bdcc3c472d7fe87dd
SSDEEP

1536:71sMveb4lR0daHy9v7Zc86y9U4AFRfBWAEnj:BDeb4T0daHy9DZc86yGUtnj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	SVCHOST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\recycled\\SVCHOST.exe,"	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SPOOLSV.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SVCHOST.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SVCHOST.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exeSPOOLSV.EXESVCHOST.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SPOOLSV.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SVCHOST.EXE

Executes dropped EXE 12 IoCs

Processes:

SVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXE

pid	process
2564	SVCHOST.EXE
2412	SVCHOST.EXE
2568	SVCHOST.EXE
2520	SVCHOST.EXE
2420	SVCHOST.EXE
2480	SPOOLSV.EXE
1804	SVCHOST.EXE
2164	SVCHOST.EXE
592	SPOOLSV.EXE
776	SPOOLSV.EXE
1584	SVCHOST.EXE
2840	SPOOLSV.EXE

Loads dropped DLL 16 IoCs

Processes:

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXE

pid	process
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Recycled\desktop.ini	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened for modification	F:\Recycled\desktop.ini	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SVCHOST.EXESVCHOST.EXESPOOLSV.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

description	ioc	process
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SPOOLSV.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\T:	SVCHOST.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\N:	SPOOLSV.EXE
File opened (read-only)	\??\M:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	SVCHOST.EXE
File opened (read-only)	\??\X:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\Q:	SPOOLSV.EXE
File opened (read-only)	\??\U:	SPOOLSV.EXE
File opened (read-only)	\??\N:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\U:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	SPOOLSV.EXE
File opened (read-only)	\??\G:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\T:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\L:	SVCHOST.EXE
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\G:	SPOOLSV.EXE
File opened (read-only)	\??\K:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\I:	SVCHOST.EXE
File opened (read-only)	\??\P:	SPOOLSV.EXE
File opened (read-only)	\??\I:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\K:	SVCHOST.EXE
File opened (read-only)	\??\N:	SVCHOST.EXE
File opened (read-only)	\??\S:	SPOOLSV.EXE
File opened (read-only)	\??\J:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Z:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\O:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\Z:	SVCHOST.EXE
File opened (read-only)	\??\Y:	SVCHOST.EXE
File opened (read-only)	\??\T:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SPOOLSV.EXE
File opened (read-only)	\??\J:	SVCHOST.EXE
File opened (read-only)	\??\P:	SVCHOST.EXE
File opened (read-only)	\??\S:	SVCHOST.EXE
File opened (read-only)	\??\J:	SPOOLSV.EXE
File opened (read-only)	\??\W:	SPOOLSV.EXE
File opened (read-only)	\??\V:	SVCHOST.EXE
File opened (read-only)	\??\X:	SVCHOST.EXE
File opened (read-only)	\??\H:	SPOOLSV.EXE
File opened (read-only)	\??\M:	SVCHOST.EXE
File opened (read-only)	\??\U:	SVCHOST.EXE
File opened (read-only)	\??\W:	SVCHOST.EXE
File opened (read-only)	\??\G:	SVCHOST.EXE
File opened (read-only)	\??\E:	SPOOLSV.EXE
File opened (read-only)	\??\O:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	SVCHOST.EXE
File opened (read-only)	\??\R:	SPOOLSV.EXE
File opened (read-only)	\??\H:	SVCHOST.EXE

Drops file in Windows directory 2 IoCs

Processes:

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\docicon.exe	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SVCHOST.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\InfoTip = "prop:Type;Write;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SPOOLSV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\QuickTip = "prop:Type;Size"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\TileInfo = "prop:Type;Size"	SVCHOST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "Microsoft Word 97 - 2003 Document"	SPOOLSV.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1796 WINWORD.EXE

pid	process
1796	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SPOOLSV.EXESVCHOST.EXESVCHOST.EXE5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

pid	process
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2568	SVCHOST.EXE
2564	SVCHOST.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2564	SVCHOST.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
2480	SPOOLSV.EXE
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exeSVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESVCHOST.EXESVCHOST.EXESPOOLSV.EXESPOOLSV.EXESVCHOST.EXESPOOLSV.EXEWINWORD.EXE

pid	process
3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
2564	SVCHOST.EXE
2412	SVCHOST.EXE
2568	SVCHOST.EXE
2520	SVCHOST.EXE
2420	SVCHOST.EXE
2480	SPOOLSV.EXE
1804	SVCHOST.EXE
2164	SVCHOST.EXE
592	SPOOLSV.EXE
776	SPOOLSV.EXE
1584	SVCHOST.EXE
2840	SPOOLSV.EXE
1796	WINWORD.EXE
1796	WINWORD.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exeSVCHOST.EXESVCHOST.EXESPOOLSV.EXEuserinit.exe

description	pid	process	target process
PID 3012 wrote to memory of 2564	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 2564	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 2564	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 2564	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 2564 wrote to memory of 2412	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2412	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2412	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2412	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2568	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2568	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2568	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2564 wrote to memory of 2568	2564	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2520	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2520	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2520	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2520	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2420	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2420	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2420	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2420	2568	SVCHOST.EXE	SVCHOST.EXE
PID 2568 wrote to memory of 2480	2568	SVCHOST.EXE	SPOOLSV.EXE
PID 2568 wrote to memory of 2480	2568	SVCHOST.EXE	SPOOLSV.EXE
PID 2568 wrote to memory of 2480	2568	SVCHOST.EXE	SPOOLSV.EXE
PID 2568 wrote to memory of 2480	2568	SVCHOST.EXE	SPOOLSV.EXE
PID 2480 wrote to memory of 1804	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 1804	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 1804	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 1804	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 2164	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 2164	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 2164	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 2164	2480	SPOOLSV.EXE	SVCHOST.EXE
PID 2480 wrote to memory of 592	2480	SPOOLSV.EXE	SPOOLSV.EXE
PID 2480 wrote to memory of 592	2480	SPOOLSV.EXE	SPOOLSV.EXE
PID 2480 wrote to memory of 592	2480	SPOOLSV.EXE	SPOOLSV.EXE
PID 2480 wrote to memory of 592	2480	SPOOLSV.EXE	SPOOLSV.EXE
PID 2564 wrote to memory of 776	2564	SVCHOST.EXE	SPOOLSV.EXE
PID 2564 wrote to memory of 776	2564	SVCHOST.EXE	SPOOLSV.EXE
PID 2564 wrote to memory of 776	2564	SVCHOST.EXE	SPOOLSV.EXE
PID 2564 wrote to memory of 776	2564	SVCHOST.EXE	SPOOLSV.EXE
PID 3012 wrote to memory of 1584	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 1584	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 1584	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 3012 wrote to memory of 1584	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SVCHOST.EXE
PID 2564 wrote to memory of 2508	2564	SVCHOST.EXE	userinit.exe
PID 2564 wrote to memory of 2508	2564	SVCHOST.EXE	userinit.exe
PID 2564 wrote to memory of 2508	2564	SVCHOST.EXE	userinit.exe
PID 2564 wrote to memory of 2508	2564	SVCHOST.EXE	userinit.exe
PID 3012 wrote to memory of 2840	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SPOOLSV.EXE
PID 3012 wrote to memory of 2840	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SPOOLSV.EXE
PID 3012 wrote to memory of 2840	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SPOOLSV.EXE
PID 3012 wrote to memory of 2840	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	SPOOLSV.EXE
PID 2508 wrote to memory of 2500	2508	userinit.exe	Explorer.EXE
PID 2508 wrote to memory of 2500	2508	userinit.exe	Explorer.EXE
PID 2508 wrote to memory of 2500	2508	userinit.exe	Explorer.EXE
PID 2508 wrote to memory of 2500	2508	userinit.exe	Explorer.EXE
PID 3012 wrote to memory of 1796	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	WINWORD.EXE
PID 3012 wrote to memory of 1796	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	WINWORD.EXE
PID 3012 wrote to memory of 1796	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	WINWORD.EXE
PID 3012 wrote to memory of 1796	3012	5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480

C:\recycled\SVCHOST.EXE
C:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:592

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
4⤵
PID:2500

F:\recycled\SVCHOST.EXE
F:\recycled\SVCHOST.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\recycled\SPOOLSV.EXE
C:\recycled\SPOOLSV.EXE :agent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5ecc1c01366849de489bfe3c7a649df0_NeikiAnalytics.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

Filesize
1KB

MD5
0269b6347e473980c5378044ac67aa1f

SHA1
c3334de50e320ad8bce8398acff95c363d039245

SHA256
68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

SHA512
e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

Download Submit
C:\begolu.txt

Filesize
2B

MD5
2b9d4fa85c8e82132bde46b143040142

SHA1
a02431cf7c501a5b368c91e41283419d8fa9fb03

SHA256
4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

SHA512
c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

Download Submit
F:\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
281b95414550ee1a95ce1c76a3f5b5dd

SHA1
51a304c7372a4d40edcbe8c5ce7afb3c3dee5a5e

SHA256
a2b674ae8996eeef6a08dab8d1b9f1ee84341109f7c8ddb665f20bf6624e06f9

SHA512
389d37b23ff77eb7df1a9813098724cbba22a3fe300017225020d5b82e9676cb50116eeede2b6b5bbd3122faa56083e39c22b49ba937c0cae52210600cf9c16f

Download Submit
\Recycled\SPOOLSV.EXE

Filesize
89KB

MD5
ed3fa0155cd443edda264a8ac39d06df

SHA1
5309ac8a766ef2d854c6b6b680524693f9e6b622

SHA256
ee14644b2770aa2060224fd5be2b0a9d5753b789cc52c330a0d3ff21b4c84735

SHA512
7a68000aa27256193d33c1ef75abad7074a4da710d585b2eee6a035671d06e134d3869ee8324144a36beac9e32548b2f04c3ce659038c5682f3b7cb1b79aa580

Download Submit
\Recycled\SVCHOST.EXE

Filesize
89KB

MD5
883338dbb8372df3fe4c3943435653bf

SHA1
30e0b07fcad710310e18f0e788dfa943cc85b48a

SHA256
a69141e841784498d2506d654020939db9220d0a4cabfd9cd41f34b91f10369a

SHA512
b97f86c09b8d81b7eb9993af2c51ad78fc2fa2bcb03b6b6de60497595a3a6fe36c1eb07d872aa111d987cb7299f397a022d492ea27b703d32f029aa6103542d6

Download Submit
memory/592-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/776-89-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/776-85-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1584-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1796-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1804-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2164-77-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2164-75-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2412-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2420-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2480-66-0x0000000000380000-0x000000000039A000-memory.dmp

Filesize
104KB

Download
memory/2520-51-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2564-41-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2564-37-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2564-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2564-32-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2564-24-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2568-57-0x0000000001D10000-0x0000000001D2A000-memory.dmp

Filesize
104KB

Download
memory/2840-101-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3012-91-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/3012-98-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/3012-102-0x00000000041B0000-0x00000000041C0000-memory.dmp

Filesize
64KB

Download
memory/3012-103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3012-23-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/3012-22-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/3012-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads