af815581f029893c1f65abcc8eed78f3242b9d01f75a4ad61cb2e0fc2b65f5c5

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Size

45KB
MD5

899c4174dbd82b7e72a00262a617cbc0
SHA1

2cdc4d66cb5140903945c87b3b885cdeea216e3b
SHA256

af815581f029893c1f65abcc8eed78f3242b9d01f75a4ad61cb2e0fc2b65f5c5
SHA512

5afd5cff8938bfc0ed3d349f64e322e984a229b61a4c5bde7ab0b17142c7fb7605becac1313b19b69fa42984c6944dc59687c5925cc5fb67480c77ba6caa88ff
SSDEEP

768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE4:FAwEmBGz1lNNqDaG0Poxhlzm4

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2420	xk.exe
772	IExplorer.exe
2696	WINLOGON.EXE
2356	CSRSS.EXE
2256	SERVICES.EXE
1812	LSASS.EXE
1660	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
2420	xk.exe
772	IExplorer.exe
2696	WINLOGON.EXE
2356	CSRSS.EXE
2256	SERVICES.EXE
1812	LSASS.EXE
1660	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2420	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2420	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2420	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2420	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 772	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 772	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 772	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 772	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	29
PID 1688 wrote to memory of 2696	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2696	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2696	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2696	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	30
PID 1688 wrote to memory of 2356	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	31
PID 1688 wrote to memory of 2356	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	31
PID 1688 wrote to memory of 2356	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	31
PID 1688 wrote to memory of 2356	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	31
PID 1688 wrote to memory of 2256	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2256	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2256	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 2256	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	32
PID 1688 wrote to memory of 1812	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	33
PID 1688 wrote to memory of 1812	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	33
PID 1688 wrote to memory of 1812	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	33
PID 1688 wrote to memory of 1812	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	33
PID 1688 wrote to memory of 1660	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 1660	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 1660	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	34
PID 1688 wrote to memory of 1660	1688	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\899c4174dbd82b7e72a00262a617cbc0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1688
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2420
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
50e62d52987d31bf8b3191de35d1e190

SHA1
2b8f3cbed939cf54800b8c5533f4e9e89cd44c9f

SHA256
868fdbbfaf2ef807d500c6ac3c40e822866f64b22ce53f90042b75b17685e5b2

SHA512
e51be13b9f8387599305a37ca71ea3e6c73ca47514c6832efcbc6950c16fc7e7ca2019d8bf0b85689b0e283b6a6eb63788edb708cc5f563b3369bc2213aa79de

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
45KB

MD5
899c4174dbd82b7e72a00262a617cbc0

SHA1
2cdc4d66cb5140903945c87b3b885cdeea216e3b

SHA256
af815581f029893c1f65abcc8eed78f3242b9d01f75a4ad61cb2e0fc2b65f5c5

SHA512
5afd5cff8938bfc0ed3d349f64e322e984a229b61a4c5bde7ab0b17142c7fb7605becac1313b19b69fa42984c6944dc59687c5925cc5fb67480c77ba6caa88ff

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
e4d52e131df113471e9ebec0074eae35

SHA1
d6c87a025565e84302f92786a0ec988db141c313

SHA256
f1ace52dba0bd1ddd624c777ea2ac83d77d97b9b1cd4ecf5dc5c515dbe5ca07c

SHA512
48f67232124d6264a11b767a4563109a3342a03afa3bb2f38bb32fb41a75619d2ec07759d5f6e999193712b62002dd52442a42e855de32de81ab761b780273f9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
e6cc7c9b579afba8b5b9f7d5905e5645

SHA1
6807e2d53cf0e1f5dc630d8c41b59dfa2cfb2c8f

SHA256
93f174341e42b0a7541d027f9808574ab59c13f4a68f8a1ead2c0eee4a180289

SHA512
4d6beddef0a563ff53270b2aee15bf88ab15f0de59e8465f9f1c8e76a8aa576fa495bb9d4aa90e05c26bf2b594ad61f0e1d4eb27ab5b2083a633657e72535a74

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
780c6d5c100cf0d0e8397a8b37dc5ff2

SHA1
b45f332e3861f58b481e482a8209524d1790cd9e

SHA256
da9b5e8d20a46d75c4465fb3a9368f38eb917922c4761ffa8ec230642d0bc373

SHA512
077e8203de4b8368789ce69230e71df384fadfc21a738a5c07e79a16e84de6847e6154b9d81e8b1d7afddd0e58c1e750ca5832935e4275131ea0287f5f816366

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
db7c35366a34c9f483cec63caf4229d9

SHA1
141f524b438f74f9fa7a4c5ca04999c73ce07696

SHA256
e7f97436ba8f577c3c36fc8211c52da5756d381854eecb6b2cc3b05e0355891b

SHA512
7e5bfd5f83653fcc61498cda14e19d269473f0273928aae89cc9c4bce20f96da05b1713a7c14e4f013b224d4139fe7bd0e2e650536214e02695249adf79397b1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
41f8b0d87940ffaadab2869896052970

SHA1
27ff8b9c7739ed6cd3ca6b82c972d68e6e97655e

SHA256
575c3b5ee128505fd62727176d68d1cfec0ccfb45e6992a0c89a660cb44f8481

SHA512
0aa9cd1fb9e2318551da64bd5f158420c6b060c2c8695c231ae448ad09f767701ef2f56eea121a618d7daa779840d5475a2554a757889d82a25d5ca2e54ff312

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
de965d39baccab044a2a5f91b9c35a6b

SHA1
76e721a24789603540db49f72b20038e0123433f

SHA256
48cd6777a56e578304ae36c25e61b3b1b5dd651356b729f0a72fa08dcfab5f4f

SHA512
4194af9e656e620effd2fdac250886649846df65bbea266d577a8d1398760bfdbf2475b187dc6e515d78eb3e5edc5417e298106d8395ee6723d339b1160f485b

Download Submit
memory/772-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-180-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-178-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1688-182-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1688-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1688-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1688-105-0x0000000000430000-0x000000000045E000-memory.dmp

Filesize
184KB

Download
memory/1812-168-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-154-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-158-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2356-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2420-114-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download