Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:39
Behavioral task
behavioral1
Sample
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
-
Size
91KB
-
MD5
5d53a28bb3daf2eac3243d9b8bf62c00
-
SHA1
6141c8ceab00d56d312101232c95e73e438d1612
-
SHA256
7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
-
SHA512
e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2
-
SSDEEP
1536:yOcjUpkWb2TTgKwuSOcjUpkWb2TTgKwuq:yOcjWJu7tSOcjWJu7tq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 2756 4k51k4.exe 2784 IExplorer.exe 1800 WINLOGON.EXE 1444 CSRSS.EXE 2548 SERVICES.EXE 612 LSASS.EXE 1344 SMSS.EXE 2008 4k51k4.exe 3064 4k51k4.exe 672 IExplorer.exe 900 4k51k4.exe 1884 4k51k4.exe 2848 IExplorer.exe 2584 4k51k4.exe 2380 WINLOGON.EXE 2148 4k51k4.exe 1624 IExplorer.exe 2684 IExplorer.exe 2976 CSRSS.EXE 2600 IExplorer.exe 2708 IExplorer.exe 2400 WINLOGON.EXE 2492 4k51k4.exe 1844 WINLOGON.EXE 2472 WINLOGON.EXE 2716 CSRSS.EXE 1924 SERVICES.EXE 2888 WINLOGON.EXE 1472 CSRSS.EXE 1440 WINLOGON.EXE 2628 CSRSS.EXE 540 SERVICES.EXE 2932 LSASS.EXE 1648 SMSS.EXE 2012 SERVICES.EXE 2024 CSRSS.EXE 1864 SERVICES.EXE 1256 IExplorer.exe 2008 LSASS.EXE 2832 CSRSS.EXE 948 LSASS.EXE 428 LSASS.EXE 1220 SMSS.EXE 2064 SMSS.EXE 756 SMSS.EXE 1380 WINLOGON.EXE 2056 SERVICES.EXE 1672 SERVICES.EXE 2020 CSRSS.EXE 692 LSASS.EXE 2584 LSASS.EXE 2536 SMSS.EXE 2420 SMSS.EXE 2424 SERVICES.EXE 2296 LSASS.EXE 772 SMSS.EXE -
Loads dropped DLL 64 IoCs
pid Process 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2756 4k51k4.exe 2756 4k51k4.exe 2784 IExplorer.exe 2784 IExplorer.exe 1800 WINLOGON.EXE 1800 WINLOGON.EXE 1444 CSRSS.EXE 1444 CSRSS.EXE 2784 IExplorer.exe 2784 IExplorer.exe 612 LSASS.EXE 612 LSASS.EXE 2548 SERVICES.EXE 2548 SERVICES.EXE 2756 4k51k4.exe 2756 4k51k4.exe 2784 IExplorer.exe 2784 IExplorer.exe 2548 SERVICES.EXE 2548 SERVICES.EXE 1800 WINLOGON.EXE 2756 4k51k4.exe 2756 4k51k4.exe 1444 CSRSS.EXE 1444 CSRSS.EXE 2784 IExplorer.exe 2784 IExplorer.exe 612 LSASS.EXE 612 LSASS.EXE 1800 WINLOGON.EXE 1800 WINLOGON.EXE 2756 4k51k4.exe 2756 4k51k4.exe 2548 SERVICES.EXE 2548 SERVICES.EXE 1344 SMSS.EXE 2784 IExplorer.exe 2784 IExplorer.exe 612 LSASS.EXE 612 LSASS.EXE 2548 SERVICES.EXE 1800 WINLOGON.EXE 2784 IExplorer.exe 2784 IExplorer.exe 1800 WINLOGON.EXE 1344 SMSS.EXE 1444 CSRSS.EXE 2756 4k51k4.exe 2756 4k51k4.exe 2548 SERVICES.EXE 2548 SERVICES.EXE 1800 WINLOGON.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2968-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0008000000015cba-8.dat upx behavioral1/files/0x0008000000016117-113.dat upx behavioral1/memory/2756-116-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000016572-119.dat upx behavioral1/memory/2784-127-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000016843-132.dat upx behavioral1/files/0x0006000000016a9a-142.dat upx behavioral1/memory/1444-150-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000016c4a-153.dat upx behavioral1/files/0x0006000000016c63-162.dat upx behavioral1/memory/2968-169-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000016c6b-173.dat upx behavioral1/memory/2756-180-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2968-184-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x000600000001661c-197.dat upx behavioral1/files/0x00060000000164b2-195.dat upx behavioral1/files/0x000600000001630b-192.dat upx behavioral1/files/0x00060000000161e7-191.dat upx behavioral1/memory/2784-215-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1800-242-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x000600000001630b-218.dat upx behavioral1/memory/2008-249-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/3064-332-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/672-313-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x000600000001661c-281.dat upx behavioral1/files/0x00060000000164b2-279.dat upx behavioral1/files/0x000600000001630b-276.dat upx behavioral1/files/0x00060000000161e7-275.dat upx behavioral1/memory/1884-366-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2548-403-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/612-410-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1624-409-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2148-408-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2848-363-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1344-411-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/900-339-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2380-376-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2684-386-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1444-336-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2400-424-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2708-445-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1844-444-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2472-474-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1924-480-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1444-534-0x0000000002320000-0x0000000002343000-memory.dmp upx behavioral1/memory/1256-533-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/428-551-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2008-549-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/948-547-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1220-556-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1864-532-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2024-531-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2932-485-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1648-497-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2012-496-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1472-478-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2628-476-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2492-472-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2600-471-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2628-470-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2976-442-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1440-468-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1472-465-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini IExplorer.exe File created C:\desktop.ini IExplorer.exe File opened for modification F:\desktop.ini IExplorer.exe File created F:\desktop.ini IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\K: 4k51k4.exe File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\M: CSRSS.EXE File opened (read-only) \??\M: SMSS.EXE File opened (read-only) \??\X: 4k51k4.exe File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\P: SMSS.EXE File opened (read-only) \??\Q: SMSS.EXE File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\K: LSASS.EXE File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\R: SMSS.EXE File opened (read-only) \??\T: 4k51k4.exe File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\B: SMSS.EXE File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\J: 4k51k4.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\L: 4k51k4.exe File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\M: LSASS.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\J: LSASS.EXE File opened (read-only) \??\B: CSRSS.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\J: SMSS.EXE File opened (read-only) \??\V: SMSS.EXE File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\B: LSASS.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\H: LSASS.EXE File opened (read-only) \??\I: LSASS.EXE -
Drops file in System32 directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\shell.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\MrHelloween.scr 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\IExplorer.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\4k51k4.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\4k51k4.exe IExplorer.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\4k51k4.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 2756 4k51k4.exe 1444 CSRSS.EXE 1800 WINLOGON.EXE 2784 IExplorer.exe 612 LSASS.EXE 2548 SERVICES.EXE 1344 SMSS.EXE -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 2756 4k51k4.exe 2784 IExplorer.exe 1800 WINLOGON.EXE 1444 CSRSS.EXE 2548 SERVICES.EXE 612 LSASS.EXE 1344 SMSS.EXE 2008 4k51k4.exe 672 IExplorer.exe 3064 4k51k4.exe 900 4k51k4.exe 1884 4k51k4.exe 2584 4k51k4.exe 2148 4k51k4.exe 2380 WINLOGON.EXE 2684 IExplorer.exe 1624 IExplorer.exe 2400 WINLOGON.EXE 2976 CSRSS.EXE 2600 IExplorer.exe 2716 CSRSS.EXE 2708 IExplorer.exe 2492 4k51k4.exe 1844 WINLOGON.EXE 2472 WINLOGON.EXE 1924 SERVICES.EXE 2888 WINLOGON.EXE 1472 CSRSS.EXE 2628 CSRSS.EXE 1440 WINLOGON.EXE 2932 LSASS.EXE 2012 SERVICES.EXE 540 SERVICES.EXE 1648 SMSS.EXE 1864 SERVICES.EXE 1256 IExplorer.exe 2024 CSRSS.EXE 2008 LSASS.EXE 948 LSASS.EXE 428 LSASS.EXE 1220 SMSS.EXE 2832 CSRSS.EXE 2064 SMSS.EXE 1380 WINLOGON.EXE 2056 SERVICES.EXE 1672 SERVICES.EXE 756 SMSS.EXE 2020 CSRSS.EXE 692 LSASS.EXE 2584 LSASS.EXE 2536 SMSS.EXE 2420 SMSS.EXE 2424 SERVICES.EXE 2296 LSASS.EXE 772 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2756 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2756 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2756 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2756 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 28 PID 2968 wrote to memory of 2784 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 29 PID 2968 wrote to memory of 2784 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 29 PID 2968 wrote to memory of 2784 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 29 PID 2968 wrote to memory of 2784 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 29 PID 2968 wrote to memory of 1800 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 30 PID 2968 wrote to memory of 1800 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 30 PID 2968 wrote to memory of 1800 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 30 PID 2968 wrote to memory of 1800 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 30 PID 2968 wrote to memory of 1444 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 31 PID 2968 wrote to memory of 1444 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 31 PID 2968 wrote to memory of 1444 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 31 PID 2968 wrote to memory of 1444 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 31 PID 2968 wrote to memory of 2548 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 32 PID 2968 wrote to memory of 2548 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 32 PID 2968 wrote to memory of 2548 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 32 PID 2968 wrote to memory of 2548 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 32 PID 2968 wrote to memory of 612 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 33 PID 2968 wrote to memory of 612 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 33 PID 2968 wrote to memory of 612 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 33 PID 2968 wrote to memory of 612 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 33 PID 2968 wrote to memory of 1344 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 34 PID 2968 wrote to memory of 1344 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 34 PID 2968 wrote to memory of 1344 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 34 PID 2968 wrote to memory of 1344 2968 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 34 PID 2756 wrote to memory of 2008 2756 4k51k4.exe 35 PID 2756 wrote to memory of 2008 2756 4k51k4.exe 35 PID 2756 wrote to memory of 2008 2756 4k51k4.exe 35 PID 2756 wrote to memory of 2008 2756 4k51k4.exe 35 PID 2784 wrote to memory of 3064 2784 IExplorer.exe 36 PID 2784 wrote to memory of 3064 2784 IExplorer.exe 36 PID 2784 wrote to memory of 3064 2784 IExplorer.exe 36 PID 2784 wrote to memory of 3064 2784 IExplorer.exe 36 PID 2756 wrote to memory of 672 2756 4k51k4.exe 37 PID 2756 wrote to memory of 672 2756 4k51k4.exe 37 PID 2756 wrote to memory of 672 2756 4k51k4.exe 37 PID 2756 wrote to memory of 672 2756 4k51k4.exe 37 PID 1800 wrote to memory of 900 1800 WINLOGON.EXE 38 PID 1800 wrote to memory of 900 1800 WINLOGON.EXE 38 PID 1800 wrote to memory of 900 1800 WINLOGON.EXE 38 PID 1800 wrote to memory of 900 1800 WINLOGON.EXE 38 PID 1444 wrote to memory of 1884 1444 CSRSS.EXE 39 PID 1444 wrote to memory of 1884 1444 CSRSS.EXE 39 PID 1444 wrote to memory of 1884 1444 CSRSS.EXE 39 PID 1444 wrote to memory of 1884 1444 CSRSS.EXE 39 PID 2784 wrote to memory of 2848 2784 IExplorer.exe 41 PID 2784 wrote to memory of 2848 2784 IExplorer.exe 41 PID 2784 wrote to memory of 2848 2784 IExplorer.exe 41 PID 2784 wrote to memory of 2848 2784 IExplorer.exe 41 PID 612 wrote to memory of 2148 612 LSASS.EXE 40 PID 612 wrote to memory of 2148 612 LSASS.EXE 40 PID 612 wrote to memory of 2148 612 LSASS.EXE 40 PID 612 wrote to memory of 2148 612 LSASS.EXE 40 PID 1800 wrote to memory of 1624 1800 WINLOGON.EXE 42 PID 1800 wrote to memory of 1624 1800 WINLOGON.EXE 42 PID 1800 wrote to memory of 1624 1800 WINLOGON.EXE 42 PID 1800 wrote to memory of 1624 1800 WINLOGON.EXE 42 PID 2548 wrote to memory of 2584 2548 SERVICES.EXE 78 PID 2548 wrote to memory of 2584 2548 SERVICES.EXE 78 PID 2548 wrote to memory of 2584 2548 SERVICES.EXE 78 PID 2548 wrote to memory of 2584 2548 SERVICES.EXE 78 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2968 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1220
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2380
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1924
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1800 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:948
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1444 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1884
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:612 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1344 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1256
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD533ce30993f4678f0b5898eb7f74daa1c
SHA163ec9c2c9725f77544c55317b4c78f2ca366e9bf
SHA256f4cc8c793f1ee2eb4b3a9b3037c2d2ed00899c9dad80572340bd0f61d6e627da
SHA512e6c8cff710d15977b0bdf30cd61219bb207813c7c5fc6bcc6a6b8d3cca2d103141d35f693bda435f28407fbc1252473c5d79fb2072976c2d83693ebb47f54d2f
-
Filesize
91KB
MD5ed3ba3010622d3d9905fd6c03b3aaeb4
SHA1eaef97649256345efe142844c4710d20c1553692
SHA25696e5b8f63b035672b81238e16c93a495c6cfacf5c2696f283db5e03e36a3a8e7
SHA5128a13b677895a0b1d63f78bef233cf9e2d9b1946adaa1b51e4afac7098e7b8285620c90171c45f5741a95fec7f169d035b5a2447a3e55424c669ecaaca8c111cb
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
91KB
MD55d53a28bb3daf2eac3243d9b8bf62c00
SHA16141c8ceab00d56d312101232c95e73e438d1612
SHA2567043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
SHA512e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2
-
Filesize
91KB
MD55eaee01cc0ca56307d44b256f15bb120
SHA14c81f067210a8d6482f57e06335dc55579f29987
SHA256e121d1c3cf4e775259c22647442ab67b157d57e67fa96ab57f423674f991c9d1
SHA512428a799de98532f25ec573887b9aa7c5dd27e65b8ec2dea5bfbb454ae6da5a81456a5cfc89baa40dabb7a572e51794c53ccaa34a6c9f6d8b33e792af5ebc6d37
-
Filesize
91KB
MD5e3f89aa16f8af66b0b9be4783bfdfa53
SHA1621c00305e97c4abe0d6da7b47c79be3f3a1cdf3
SHA2561de81a2fb731e98570c3633646c05504ea3afb8da774912a54d3c08b2217683c
SHA5121c63889984f63bebb55ec9862c46ba45ac16a75c5868bf181ce5a5bd7a8b6e22185f9c0617e6732142c7469206f1185a64ec8487afcc8b82712ba06d024abfd8
-
Filesize
91KB
MD5c4a2f3d6ebdaaca9e937457ee2c7db1a
SHA173771c42b00c88c4213a426d66263c799326d2f2
SHA256110567b49e1a6df99092b65f8782f344ee469d408ada986154e9e45c2b0686e8
SHA512b5df772ccee0bce1578cf7696376bc85cfdcaa7eef6ae333577c633c9dd1fed6188804bf52353a3131a5441d3eaf7ac725cee840526f551a761b22737de8926e
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
91KB
MD59223d742854bcb271a91f62846e405f7
SHA1f33d48f2c71b246992c0c9c7613441f64e857cf8
SHA256e84673a105a9f8273f565c6564f329285c772d7de75e397a1d05efd62bc58794
SHA512bd2ec4d1ed25ef47e9f3d6884b34d5a63849f3a7ddc88bb800a5635dfa6f8de255f9bc97267048cd00869a18b68feeb4f593fc0307026d79b9fb0fcc61d54667
-
Filesize
91KB
MD57200851c871f80b34b7de224e6daf3c1
SHA1bedbc884e966a1fcbc336c0690c10ec662ee0794
SHA2561d44228401a877210e9a54f8c5e90a8ec498305765b7803c949d03703271266b
SHA512dc868788f3afc331767ae2f78de0c1125947411e1c6b7ea84f0748ef557a2578b1b205fea88abeeaa6da5e6a0ee993758433393eae495a683383698b559a551f
-
Filesize
91KB
MD51bc894ff4249e36d3968df3277d75e9f
SHA1f3d282e12ed1405753107962feca99cac940c6d9
SHA2566f3b671e21e780a24f4d4b6107c5d97781b0cfd0774c242ecb0a40afd5cb1b62
SHA512691559af43e47868640d4a0698a04f704c5466d68cb935101f86b1a540168d17bd4dd9ba336c7fb707702aa3ff394646cbb9ce9abbd15b9e450e22e9ef320e6c
-
Filesize
91KB
MD5b7d5f03b478ef31f8d5e2418f5d730f0
SHA14d451e9a8422dadb456a76fced0cf0fd9e610f73
SHA2567b9a279f385bc75e492de6c728b995ce351ca3596cb840b0c26c2ce989f31abc
SHA5126bca25f5270d63d9699127f6baebd2b7476c9a67e1349e5b1fc3c6b0c8194c42dd3c3fc928320b7a65e180d0a5df68d7c29d05bf3a812f093fe9b5f994578f49
-
Filesize
91KB
MD50b7f0ded62096d58334e252c3b231d14
SHA19ae160efa11ae6b0f6d579635a007fac1e29b5fc
SHA25673d754ece4401262fdc5b5b6703f389f5f80a873a2cb40e34ad281798cdf07f7
SHA512097d30b9ae6d106e5321f295a6c77e7946ecfa08971384c1e895f77c39337a054557b9539e7400eeeccb02dc98566e2cda50d712ab35fcd5483d4ec742e8e176
-
Filesize
91KB
MD5e6eb4cec7d532a4ea59564835f43d24d
SHA1b2090fc5c57d49f7fb7bd814943f54ce1ef6b842
SHA2569f5818d4ccd79427acd078f11bd4011f629d648139b719d7f0628e232f8fabf7
SHA51294e2968d4c2b1959fc58644dfd02672ae9f1b4a505fcb1d56b2c506bb6b5268bef6ab098295534205734881872b61dee6a329a30e91cbb2ff3be69b2e2bc9d29
-
Filesize
91KB
MD55fd9aa4a27723da4d04067b86982c52d
SHA1712b0bb53c6d0c739b4762ea1f3e3b8fc0fa9708
SHA25623fa3979c17a19adb4986f847d81ca97a19abe11fb981883193cff1992effcc2
SHA51224c4fc212a94b66bade7dd13db388a3365be6cee2cc4d1acce190bdadcb7a2de8435a35d22820da3c8531def36d3d4f5c8df5bd4e7d44d814bc3076c86122c32
-
Filesize
91KB
MD5a897e2d973ec48d838c9dd6d718490fd
SHA15f76dc8bed004feec45d2a143224ff48951c42fe
SHA256ac613b1c85571148c8c988c78e2578eb1b09a62b4bfa40de6d68040f971f9320
SHA512f2e3286ad9325d6782c5edd96e350cf5df04a41b8daa005b462e3af9e383d9a28a4e2451e696f2a2b39cb228e4d3020e3762c112f0db6b730480e5a6a525a25f
-
Filesize
91KB
MD5ecd4eb23ce4a84065d71557c01daa26f
SHA123e54594f49e3c514806ade05f81d0b1bda71ce7
SHA256f890fda8de7673bfe5337d25516405f44b4b1608db1d2fa9cfd26a85d1033564
SHA512b1bb56f441baf126c370f46f4dbc5090396311415b6b07fbe84105fa74dc9b19029b3110fc7b5f3d28bebba12eded186c6cdf591033152ab1177d40afad8e806
-
Filesize
91KB
MD5adc460ee4bd3b8ba08a9bcc946e77ba1
SHA1d7c295e2f4eb18ebc12bf5ca493f1a3c80f74752
SHA2565448ff07306cfeeef986611f822def36f9ffee8bbd62f0145750972bef594055
SHA512a4e02cff07465d17f610e64132069b11d4deaecd8c921d7c94ff02d9c104dd8ea064103c9e97a01086d8b3398bfa9d54f44c8243f2f3022ff8057735edbedc44
-
Filesize
91KB
MD5739c32514fcfcf0cd3f04862d7dad501
SHA1da2bc54aaaa87fcd7f147e2a995623f5ae148414
SHA25633a911ab281e982db1c3723a1d503c06e94122bc03d4672081adc82aed01d243
SHA5120d1461abbec09ffffc1c0b6700c5df92360bf901409527d7bed58530c6d72976357a69b52f9310af2d60c6a5e37042f05b90cd0cc8e3f767d2557a65d5ca5010