f943dd4b187f62b888b8bc3effd81a882907da2fe95eb06be0512714f4418bc3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
Size

532KB
MD5

bb3014ba20f8bb3c5cc0742b8f2946c0
SHA1

08f671eb0abc9e5384d03fc24572aae59e66cb29
SHA256

f943dd4b187f62b888b8bc3effd81a882907da2fe95eb06be0512714f4418bc3
SHA512

c924f05b42e5c9b59bd5990e134a56516cbd702eb00aff68b03d53653311118118b5a0dc4308996c1cd917c6060afc1916633ea8f52a13dc36abd10f37cf8b34
SSDEEP

6144:+vMgrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcjIBvGKkSLIM:+vMg9sKVyY3EcmIopMbv1OcjIBvGKkSH

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe

Executes dropped EXE 4 IoCs

pid	Process
2028	winlogon.exe
3052	AE 0124 BE.exe
4800	winlogon.exe
4636	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
3052	AE 0124 BE.exe
4800	winlogon.exe
4636	winlogon.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5068-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0007000000023443-18.dat	upx
behavioral2/memory/5068-72-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4800-83-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4636-90-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2028-309-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3052-410-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3052-472-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	532	msiexec.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~~10.0.19041.1023.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winrsmgr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Setup-Shared-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_1394.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netpacer.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msclmd.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\LogFiles\WMI\Wifi.etl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dcomp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netpgm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\iyuv_32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ieunatt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mssitlb.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\htable.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\EditionUpgradeHelper.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_5_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wmiacpi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\prnms007.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServer-Client-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.ApplicationModel.Background.TimeBroker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netrtl64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_magneticstripereader.inf_amd64_86e291110e37418b	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msacm32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\polstore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rasman.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\P6DISP.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\megasr.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\nci.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismCore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_a0634dcf2da1127e\terminpt.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\themeui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_G18030.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fssystemrecovery.inf_amd64_aa57df1ffa9aace0\c_fssystemrecovery.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\e1y60x64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Smb.types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wimgapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\gpedit.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-ShellLauncher-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\RstrtMgr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\cli.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\input.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\volsnap.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winmsipc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\makecab.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\hidi2c.inf_loc	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\ErrorReporting.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_system.data.oracleclient.resources_b77a5c561934e089_10.0.19041.1_de-de_f2b9198a51ad05dc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Client-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\MultiPoint-Help-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..r-library.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2d5003cc9d3db437\LogonController.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-id-connecte..r-wlidcli.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f865c05eca4f20c7\wlidcli.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..ces-rdpdr.resources_31bf3856ad364e35_10.0.19041.1_it-it_32f3beac116c5abe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..-dmcommandlineutils_31bf3856ad364e35_10.0.19041.1_none_e0898ab34489d994.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\1cd99e4536e5d701239b00001815341f.IIsScHlp.wsc	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.ja.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontview.resources_31bf3856ad364e35_10.0.19041.1_en-us_89fd25c62d2f55b6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..k-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d5b28d127cd6363e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ndisuio_31bf3856ad364e35_10.0.19041.1_none_21e21547863ba45c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_net1yx64.inf_31bf3856ad364e35_10.0.19041.1_none_dc3a83e045962c80	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_system.management.automation.resources_31bf3856ad364e35_1.0.0.0_ja-jp_e623108e5fdeaa0e\System.Management.Automation.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_b59136bc7aa040e6\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..component.resources_31bf3856ad364e35_10.0.19041.1_de-de_446296f0222c7a1d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_en-us_fd12fd91fe1def77_msimsg.dll.mui_72e8994f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..pellcheck.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0d5beb4aa77432bf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.789_en-gb_3a5aa599f86780e3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_698383346b50fdd3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-offlineregistry_31bf3856ad364e35_10.0.19041.1202_none_01240ae28777facc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_multimedia-mfcore-w..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_ja-jp_e2d812d64f6ba3a6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.powershel..nsolehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e46ebb45c248bc68\Microsoft.PowerShell.ConsoleHost.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\ATL90.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_10.0.19041.746_none_6aec0803931afa36\OfflineFilesWmiProvider_Uninstall.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack-onecore_31bf3856ad364e35_10.0.19041.1_none_f44203ddbeab1e75\cleanupai.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i...appxmain.resources_31bf3856ad364e35_10.0.19041.1266_en-us_532c1727b299ece8\Windows.UI.SettingsAppThreshold.en-US.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_dc825f50115397ad\lipeula.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\InputApp\Assets\StoreLogo.scale-125.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9b48a80e762496d8	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_hr-hr_ab5261267549806a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-internal-shell-broker_31bf3856ad364e35_10.0.19041.964_none_68d6d4c3f9c5b53d\Windows.Internal.Shell.Broker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_mchgr.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f990c0d29b44b4b8	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_10.0.19041.1_es-es_477d97556a2998fa\modemui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_it-it_1bf36b0c23ae824c\wiarpc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmemulatednic_31bf3856ad364e35_10.0.19041.928_none_dc1e1ec4030ff131	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-onecore-actionqueue.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fae0a0b9eaafe4be.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..interface.resources_31bf3856ad364e35_10.0.19041.1_en-us_bc67ff385ed94780\schedprov.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netv1x64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_bluetooth.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_3e3c515351903d04\c_bluetooth.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_de-de_1082edda42cfea32\AppConfigHome.aspx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-a..sibility-experience_31bf3856ad364e35_10.0.19041.1_none_41b27ed425707c3a\ibeam.svg	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_de-de_8ecbf4db5ea63fd0\MSFT_EnvironmentResource.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ydefinition-display_31bf3856ad364e35_10.0.19041.1_none_84fc3bc237d85cd3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..utilities.resources_31bf3856ad364e35_11.0.19041.1_de-de_0b93953edb45a073	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-kernel-appcore_31bf3856ad364e35_10.0.19041.546_none_b3c2e42e40ffe9d2\r\kernel.appcore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_floppydisk.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_4e0c091a021d5487\c_floppydisk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_93b4a0a1641d085c_svchost.exe_4dd0f0bc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_microsoft.grouppoli..reporting.resources_31bf3856ad364e35_10.0.19041.1_es-es_42b83aff61b22496.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\r\filemgmt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\PerfRemoteHelpers.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-legacy_web_hightrust_config_b03f5f7f11d50a3a_4.0.15805.0_none_49a4a0799311c22b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_en-us_37bccad44d844b95\MSFT_ServiceResource.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-win32plugin_31bf3856ad364e35_10.0.19041.1_none_fa017d10f5f5ac19\xwtpw32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..sslockapp.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_7014825cdc7916b8\r\AppxSignature.p7x	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_10.0.19041.1_it-it_cf441ec795db1b05\WinMgmt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_60bcfbe5bfae04cd.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-windowui.resources_31bf3856ad364e35_10.0.19041.1_en-us_857908af9a7ca4e0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx4-compatjit_dll_31bf3856ad364e35_4.0.15805.0_none_6579b90b4d4f7cae.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_612cbf2e9fb3c08a\msfeedsbs.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..fications.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_9b7b179ed63cc489.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3632	msiexec.exe
3632	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	532	msiexec.exe
Token: SeSecurityPrivilege	3632	msiexec.exe
Token: SeCreateTokenPrivilege	532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	532	msiexec.exe
Token: SeLockMemoryPrivilege	532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	532	msiexec.exe
Token: SeMachineAccountPrivilege	532	msiexec.exe
Token: SeTcbPrivilege	532	msiexec.exe
Token: SeSecurityPrivilege	532	msiexec.exe
Token: SeTakeOwnershipPrivilege	532	msiexec.exe
Token: SeLoadDriverPrivilege	532	msiexec.exe
Token: SeSystemProfilePrivilege	532	msiexec.exe
Token: SeSystemtimePrivilege	532	msiexec.exe
Token: SeProfSingleProcessPrivilege	532	msiexec.exe
Token: SeIncBasePriorityPrivilege	532	msiexec.exe
Token: SeCreatePagefilePrivilege	532	msiexec.exe
Token: SeCreatePermanentPrivilege	532	msiexec.exe
Token: SeBackupPrivilege	532	msiexec.exe
Token: SeRestorePrivilege	532	msiexec.exe
Token: SeShutdownPrivilege	532	msiexec.exe
Token: SeDebugPrivilege	532	msiexec.exe
Token: SeAuditPrivilege	532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	532	msiexec.exe
Token: SeChangeNotifyPrivilege	532	msiexec.exe
Token: SeRemoteShutdownPrivilege	532	msiexec.exe
Token: SeUndockPrivilege	532	msiexec.exe
Token: SeSyncAgentPrivilege	532	msiexec.exe
Token: SeEnableDelegationPrivilege	532	msiexec.exe
Token: SeManageVolumePrivilege	532	msiexec.exe
Token: SeImpersonatePrivilege	532	msiexec.exe
Token: SeCreateGlobalPrivilege	532	msiexec.exe
Token: SeBackupPrivilege	3552	vssvc.exe
Token: SeRestorePrivilege	3552	vssvc.exe
Token: SeAuditPrivilege	3552	vssvc.exe
Token: SeBackupPrivilege	3632	msiexec.exe
Token: SeRestorePrivilege	3632	msiexec.exe
Token: SeRestorePrivilege	3632	msiexec.exe
Token: SeTakeOwnershipPrivilege	3632	msiexec.exe
Token: SeRestorePrivilege	3632	msiexec.exe
Token: SeTakeOwnershipPrivilege	3632	msiexec.exe
Token: SeBackupPrivilege	4388	srtasks.exe
Token: SeRestorePrivilege	4388	srtasks.exe
Token: SeSecurityPrivilege	4388	srtasks.exe
Token: SeTakeOwnershipPrivilege	4388	srtasks.exe
Token: SeBackupPrivilege	4388	srtasks.exe
Token: SeRestorePrivilege	4388	srtasks.exe
Token: SeSecurityPrivilege	4388	srtasks.exe
Token: SeTakeOwnershipPrivilege	4388	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
532	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
2028	winlogon.exe
3052	AE 0124 BE.exe
4800	winlogon.exe
4636	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 532	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	86
PID 5068 wrote to memory of 532	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	86
PID 5068 wrote to memory of 532	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	86
PID 5068 wrote to memory of 2028	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	87
PID 5068 wrote to memory of 2028	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	87
PID 5068 wrote to memory of 2028	5068	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	87
PID 2028 wrote to memory of 3052	2028	winlogon.exe	89
PID 2028 wrote to memory of 3052	2028	winlogon.exe	89
PID 2028 wrote to memory of 3052	2028	winlogon.exe	89
PID 2028 wrote to memory of 4800	2028	winlogon.exe	91
PID 2028 wrote to memory of 4800	2028	winlogon.exe	91
PID 2028 wrote to memory of 4800	2028	winlogon.exe	91
PID 3052 wrote to memory of 4636	3052	AE 0124 BE.exe	93
PID 3052 wrote to memory of 4636	3052	AE 0124 BE.exe	93
PID 3052 wrote to memory of 4636	3052	AE 0124 BE.exe	93
PID 3632 wrote to memory of 4388	3632	msiexec.exe	106
PID 3632 wrote to memory of 4388	3632	msiexec.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:532
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4636
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.msi

Filesize
532KB

MD5
b26c334286bb7c316a77323aa3d8fbdd

SHA1
fc54644b72b1c5e76ed801441d29147d57111fcb

SHA256
fb28755f0566e0994c7fd4a2a75628db8c4828ee7b296d8e13f6b333c1d417ef

SHA512
c36213ae79c91271da2029b6646989ebc7e393748dce7fc4cb4f6394f4f520e730aea50a106985714521cd06b10308772008804a914aa76d8c28dac3322c0ec5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
426cb5d1c97040aff05bfdf344486cd6

SHA1
2d2721a3f5dd6e86d96a354f008232a70139a696

SHA256
f0542edef6d797a0d864528d6bd0b656a7f1d5c0d30b7a32c815f1c64a794a42

SHA512
9b43fe0ba7a0f59cd87e5c78f5202f687f7beba8fc3fa2cea353e3be33ac27332de3a2fa5845a5d7a2f2106d73b0e6517636ffd6979388f1ef342c9b5d79721e

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
2db16226ec2af12bf1d73307b0c6d6dc

SHA1
79b1ddaedb280f65fdb4fba0e570372183a6ae2d

SHA256
bef0b8025c58ceaa79b4e1e9457a85c84611b71b67742340af3cb027375407bb

SHA512
389ad50897145e18ba7339a3e83a3987161eda1989299ab55e7972ac3db8263004189aa6254cfc92b9e84f72e1f4924dd00fe6d3bc538a88a363c0aba0d58d44

Download Submit
C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.002

Filesize
256KB

MD5
e98fb3b6872a17b901a6c40ac751972b

SHA1
92acab6f08ce7f699910a244ab39c6d890992714

SHA256
63bc1946b13fdd77739c7390c639a82d30162c0372a7549b91859e879af2c454

SHA512
f97fde7e9a0a8abc9b9401691b4f9058d7e028699246e71b71daa279242d230ba424e1f8192bececaa243504fcdcfd101bbb1879a5bd8cb19d12675ac912c2c3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
8b32908ad1841c8f359a54c34a863777

SHA1
21db6de76fa86fe3fa985350817e66d7f0fa0fab

SHA256
a2fffe802e991eab399187f3355037ed21f94499cedc9373d3a9a894c14d9f8d

SHA512
87d3a394a6d5e7caa9968d0c9c24643209d2debcf341113b0bd6dc845477d2edf801ea59187d463e39c39a9dcacbbcfd943b078269915bb1e4b4bd80ae62d38d

Download Submit
\??\Volume{b97ebe19-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{59230c4f-33cf-46b4-a2c5-21992ec49362}_OnDiskSnapshotProp

Filesize
6KB

MD5
bc706babd76aea3f4cb89c9b5e55f2bd

SHA1
60b483f24cb76a64c6f60ad7c4c99311407de369

SHA256
18686a3144b2092388cb31e81ee7294d502b21c0d0df46f447e8ca7fd39f4aa0

SHA512
9bc0ae6f949e780a4860ffb3953c5a060cae5ca1f398a4c92e711f89e1a4ca80215b3af2e00b9226d9c9b54bc57afe08e72401af41819a3a2286fdb128687343

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/2028-309-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3052-410-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3052-472-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4636-90-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4800-83-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5068-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5068-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download