Analysis
-
max time kernel
149s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 03:39
Behavioral task
behavioral1
Sample
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe
-
Size
91KB
-
MD5
5d53a28bb3daf2eac3243d9b8bf62c00
-
SHA1
6141c8ceab00d56d312101232c95e73e438d1612
-
SHA256
7043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
-
SHA512
e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2
-
SSDEEP
1536:yOcjUpkWb2TTgKwuSOcjUpkWb2TTgKwuq:yOcjWJu7tSOcjWJu7tq
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 3624 4k51k4.exe 2280 IExplorer.exe 1000 WINLOGON.EXE 4136 CSRSS.EXE 396 SERVICES.EXE 2420 LSASS.EXE 4508 SMSS.EXE 3160 4k51k4.exe 832 IExplorer.exe 1360 4k51k4.exe 4180 IExplorer.exe 4160 WINLOGON.EXE 4164 WINLOGON.EXE 4628 CSRSS.EXE 876 CSRSS.EXE 1316 SERVICES.EXE 4468 SERVICES.EXE 3648 LSASS.EXE 4196 4k51k4.exe 1948 LSASS.EXE 4924 SMSS.EXE 4860 IExplorer.exe 3564 4k51k4.exe 4996 SMSS.EXE 4284 WINLOGON.EXE 4384 IExplorer.exe 4556 CSRSS.EXE 3956 WINLOGON.EXE 1832 SERVICES.EXE 1268 CSRSS.EXE 2928 LSASS.EXE 1544 SERVICES.EXE 720 SMSS.EXE 2468 4k51k4.exe 3716 4k51k4.exe 836 LSASS.EXE 4476 IExplorer.exe 1236 IExplorer.exe 3888 SMSS.EXE 4980 WINLOGON.EXE 1264 WINLOGON.EXE 2532 CSRSS.EXE 1836 CSRSS.EXE 3220 SERVICES.EXE 1464 SERVICES.EXE 4336 LSASS.EXE 4704 LSASS.EXE 4708 4k51k4.exe 3044 IExplorer.exe 1272 SMSS.EXE 3316 SMSS.EXE 2636 WINLOGON.EXE 1672 CSRSS.EXE 3780 SERVICES.EXE 1436 LSASS.EXE 1636 SMSS.EXE -
Loads dropped DLL 7 IoCs
pid Process 3160 4k51k4.exe 1360 4k51k4.exe 4196 4k51k4.exe 3564 4k51k4.exe 3716 4k51k4.exe 2468 4k51k4.exe 4708 4k51k4.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE -
resource yara_rule behavioral2/memory/3228-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0007000000023435-8.dat upx behavioral2/files/0x0007000000023439-110.dat upx behavioral2/files/0x000700000002343d-115.dat upx behavioral2/files/0x000700000002343f-122.dat upx behavioral2/files/0x0007000000023440-127.dat upx behavioral2/memory/4136-129-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0007000000023441-133.dat upx behavioral2/files/0x0007000000023442-138.dat upx behavioral2/files/0x0007000000023443-143.dat upx behavioral2/memory/3228-148-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3160-189-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1360-204-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/832-203-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1360-211-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/832-213-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3624-225-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4160-231-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4180-229-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2280-236-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1000-239-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4136-241-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4164-235-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/876-263-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4628-265-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/396-261-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002343b-269.dat upx behavioral2/files/0x000700000002343e-282.dat upx behavioral2/files/0x000700000002343b-286.dat upx behavioral2/memory/2420-296-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002343a-293.dat upx behavioral2/files/0x000700000002343c-292.dat upx behavioral2/files/0x000700000002343e-274.dat upx behavioral2/files/0x000700000002343c-272.dat upx behavioral2/files/0x000700000002343a-268.dat upx behavioral2/memory/4468-308-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3648-310-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4508-305-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1316-303-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1948-314-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1948-323-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4924-326-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4196-324-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-341-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4996-367-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-364-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4284-370-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4860-362-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4384-379-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3956-384-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4556-388-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3956-390-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1832-396-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2928-400-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2928-404-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/720-415-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/836-425-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2468-428-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3716-429-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1236-438-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4476-437-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3888-441-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4980-447-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1264-448-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created F:\desktop.ini IExplorer.exe File opened for modification C:\desktop.ini IExplorer.exe File created C:\desktop.ini IExplorer.exe File opened for modification F:\desktop.ini IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 4k51k4.exe File opened (read-only) \??\N: CSRSS.EXE File opened (read-only) \??\H: LSASS.EXE File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\P: 4k51k4.exe File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\M: LSASS.EXE File opened (read-only) \??\B: SMSS.EXE File opened (read-only) \??\I: LSASS.EXE File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\U: 4k51k4.exe File opened (read-only) \??\W: 4k51k4.exe File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\O: SMSS.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\H: SERVICES.EXE File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\E: SERVICES.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\Y: SMSS.EXE File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\G: CSRSS.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\P: CSRSS.EXE File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\R: LSASS.EXE File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\H: CSRSS.EXE File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\Z: WINLOGON.EXE File opened (read-only) \??\K: CSRSS.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\I: 4k51k4.exe File opened (read-only) \??\T: 4k51k4.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File created C:\Windows\SysWOW64\shell.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File created C:\Windows\SysWOW64\MrHelloween.scr 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\IExplorer.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File created C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe IExplorer.exe File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 3624 4k51k4.exe 4136 CSRSS.EXE 1000 WINLOGON.EXE 2280 IExplorer.exe 396 SERVICES.EXE 2420 LSASS.EXE 4508 SMSS.EXE -
Suspicious use of SetWindowsHookEx 57 IoCs
pid Process 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 3624 4k51k4.exe 2280 IExplorer.exe 1000 WINLOGON.EXE 4136 CSRSS.EXE 396 SERVICES.EXE 2420 LSASS.EXE 4508 SMSS.EXE 3160 4k51k4.exe 832 IExplorer.exe 1360 4k51k4.exe 4180 IExplorer.exe 4160 WINLOGON.EXE 4164 WINLOGON.EXE 876 CSRSS.EXE 4628 CSRSS.EXE 1316 SERVICES.EXE 4468 SERVICES.EXE 3648 LSASS.EXE 1948 LSASS.EXE 4196 4k51k4.exe 4924 SMSS.EXE 4860 IExplorer.exe 4996 SMSS.EXE 3564 4k51k4.exe 4284 WINLOGON.EXE 4384 IExplorer.exe 4556 CSRSS.EXE 3956 WINLOGON.EXE 1832 SERVICES.EXE 1268 CSRSS.EXE 2928 LSASS.EXE 1544 SERVICES.EXE 720 SMSS.EXE 2468 4k51k4.exe 3716 4k51k4.exe 836 LSASS.EXE 4476 IExplorer.exe 1236 IExplorer.exe 3888 SMSS.EXE 4980 WINLOGON.EXE 1264 WINLOGON.EXE 2532 CSRSS.EXE 1836 CSRSS.EXE 3220 SERVICES.EXE 1464 SERVICES.EXE 4704 LSASS.EXE 4336 LSASS.EXE 4708 4k51k4.exe 3044 IExplorer.exe 3316 SMSS.EXE 1272 SMSS.EXE 2636 WINLOGON.EXE 1672 CSRSS.EXE 3780 SERVICES.EXE 1436 LSASS.EXE 1636 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3624 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 3624 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 3624 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 82 PID 3228 wrote to memory of 2280 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 2280 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 2280 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 83 PID 3228 wrote to memory of 1000 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 1000 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 1000 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 84 PID 3228 wrote to memory of 4136 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 86 PID 3228 wrote to memory of 4136 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 86 PID 3228 wrote to memory of 4136 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 86 PID 3228 wrote to memory of 396 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 87 PID 3228 wrote to memory of 396 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 87 PID 3228 wrote to memory of 396 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 87 PID 3228 wrote to memory of 2420 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 88 PID 3228 wrote to memory of 2420 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 88 PID 3228 wrote to memory of 2420 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 88 PID 3228 wrote to memory of 4508 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 90 PID 3228 wrote to memory of 4508 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 90 PID 3228 wrote to memory of 4508 3228 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe 90 PID 3624 wrote to memory of 3160 3624 4k51k4.exe 93 PID 3624 wrote to memory of 3160 3624 4k51k4.exe 93 PID 3624 wrote to memory of 3160 3624 4k51k4.exe 93 PID 3624 wrote to memory of 832 3624 4k51k4.exe 94 PID 3624 wrote to memory of 832 3624 4k51k4.exe 94 PID 3624 wrote to memory of 832 3624 4k51k4.exe 94 PID 2280 wrote to memory of 1360 2280 IExplorer.exe 95 PID 2280 wrote to memory of 1360 2280 IExplorer.exe 95 PID 2280 wrote to memory of 1360 2280 IExplorer.exe 95 PID 2280 wrote to memory of 4180 2280 IExplorer.exe 96 PID 2280 wrote to memory of 4180 2280 IExplorer.exe 96 PID 2280 wrote to memory of 4180 2280 IExplorer.exe 96 PID 3624 wrote to memory of 4160 3624 4k51k4.exe 97 PID 3624 wrote to memory of 4160 3624 4k51k4.exe 97 PID 3624 wrote to memory of 4160 3624 4k51k4.exe 97 PID 2280 wrote to memory of 4164 2280 IExplorer.exe 98 PID 2280 wrote to memory of 4164 2280 IExplorer.exe 98 PID 2280 wrote to memory of 4164 2280 IExplorer.exe 98 PID 3624 wrote to memory of 4628 3624 4k51k4.exe 99 PID 3624 wrote to memory of 4628 3624 4k51k4.exe 99 PID 3624 wrote to memory of 4628 3624 4k51k4.exe 99 PID 2280 wrote to memory of 876 2280 IExplorer.exe 100 PID 2280 wrote to memory of 876 2280 IExplorer.exe 100 PID 2280 wrote to memory of 876 2280 IExplorer.exe 100 PID 2280 wrote to memory of 1316 2280 IExplorer.exe 101 PID 2280 wrote to memory of 1316 2280 IExplorer.exe 101 PID 2280 wrote to memory of 1316 2280 IExplorer.exe 101 PID 3624 wrote to memory of 4468 3624 4k51k4.exe 102 PID 3624 wrote to memory of 4468 3624 4k51k4.exe 102 PID 3624 wrote to memory of 4468 3624 4k51k4.exe 102 PID 2280 wrote to memory of 3648 2280 IExplorer.exe 104 PID 2280 wrote to memory of 3648 2280 IExplorer.exe 104 PID 2280 wrote to memory of 3648 2280 IExplorer.exe 104 PID 1000 wrote to memory of 4196 1000 WINLOGON.EXE 105 PID 1000 wrote to memory of 4196 1000 WINLOGON.EXE 105 PID 1000 wrote to memory of 4196 1000 WINLOGON.EXE 105 PID 3624 wrote to memory of 1948 3624 4k51k4.exe 106 PID 3624 wrote to memory of 1948 3624 4k51k4.exe 106 PID 3624 wrote to memory of 1948 3624 4k51k4.exe 106 PID 2280 wrote to memory of 4924 2280 IExplorer.exe 107 PID 2280 wrote to memory of 4924 2280 IExplorer.exe 107 PID 2280 wrote to memory of 4924 2280 IExplorer.exe 107 PID 1000 wrote to memory of 4860 1000 WINLOGON.EXE 108 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d53a28bb3daf2eac3243d9b8bf62c00_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3228 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3624 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4628
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4180
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1000 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4284
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:720
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4136 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4384
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3888
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:396 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1836
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3316
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2420 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3716
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1236
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4508 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4708
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5ee6a9fa20d6cae8d3dc86f5998057f66
SHA14593272829a104705dc3f5d37edcdebeabcfa62c
SHA256166d2ac4a0f27ffd01d31c5f2ece6d155f0a3a4c7c36223d1fb6c3abfc871ae0
SHA51216d11c3e0466c5d3c677863de7099e436af46a6379845acede65aff4ccc3d94f9af056838da0e9d3fda483d5bfd77be1585888c80588c180a409effd85fe724d
-
Filesize
91KB
MD59a3aff244d5e3828aee4d64ee18d9fb3
SHA15a5a0a6c30abb4f5ac41d6104584ef252a390013
SHA256f70c6d6a6b9168f7872cf7430fe4ba23e9bec4cebb7b95e750835614805abf40
SHA5122719d23e524770c6abdcd5de986df1b9d100f05551954b96a8ce07cc6d42fff229b01fb83443232fc23e36babe732dab9dd937754b9e1aa736b4afa462d77d70
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
91KB
MD5871be703aca346d79dd82003515a529d
SHA1e69da354bfd0803bd5598f8c6031386ff7fe2d25
SHA256ea7e7b7c6cad7cf42c5ab07e9caf6eace00ece0316f0f235b6e8799d6b8fb304
SHA512b45ded96f103b2a3ce7afab8ecdc79736baa61806139a42f2951b209de85d5985897ef0868e875d582ce3b6782299b8834d060c7e30d39d5bf98f0bafbfbd68f
-
Filesize
91KB
MD574e473ca0a41a34d4201e223af31bca4
SHA16510311ed895c32e0ab3ee505f0b673d100747b4
SHA256329d467cf944105db4328fc12a7a22adf48cfbd217e976e2e0372024a1668849
SHA512a046d1941ca29de11940c9fbb8695ab71e3ce36fba65729fa8456e2c780d01bdf304f16a23a4844e5b050d95f55d8a940827473b91084ce8112ae3bb5433d54f
-
Filesize
91KB
MD5b605b1df3d682e2d569f700073f164b9
SHA10b1aa9ba58a4dc03581dcfe005f7b5f978b7e67f
SHA25661e2e92cf9ecfdd8ab6cd0e16025ca009e39ca9c4c4af2dd7e8499c5efcf9cfc
SHA5124149ed44ee4dc72718a0602aabb9775b4d8cc78c46ded9ebef0772bfc545ba0c9aa1d2e5a36cf66e1a8a94ef19453039eceda10739f72d90bf6b2165c21ac151
-
Filesize
91KB
MD572dcd32c5e60b36512fe7bf71ef428b0
SHA114dccb1f4d37a54e1bc4cf385b169f9042e2659f
SHA256dda66a43b6e86903bff35e02875d5edabc688e5fe3386d8011e2ab812ea61a03
SHA5122a3a18cda35ee513f5a2fc85f85455708147a71425ee7a9b93f228585093c306692d53dda026e75bfeb9f7b0c7a41e777ab18e344094dee7235c5aa417ea77f7
-
Filesize
91KB
MD504ec7cf90223414e92bfd6537a86beeb
SHA134c3d1c6f2e95024bdc4713c6ef2bb0326f9acb4
SHA2562a45e6c0d9ef8f4fd2b17d46cc415bdebe6d835717eab296b191f98f4354f687
SHA5122aff2cc959c2bdb1cbb6a0bf14bb6fc28b0ac63a58cee6ac166a3d23bc36b1f1a9f7f93ac02945c99852b9dfd212b3e32a7d0fa5143d98998d2f557e86994a22
-
Filesize
91KB
MD55d53a28bb3daf2eac3243d9b8bf62c00
SHA16141c8ceab00d56d312101232c95e73e438d1612
SHA2567043d7fbb590e5ec27aa96924e458a0dfa8b7c65aac4c99aa4f176efa9164d44
SHA512e575a6b4d34757c1d5e058a889d53bf0863d4e76503c73eeb66191d5ec2199f56dd2aca1eed35c948b24b208f8506c91e34311b5e6b8fc982d53c375cda19db2
-
Filesize
91KB
MD54c2958054d5c23e603e1621be8b2457c
SHA16f0810a815d207c98a66249754e38f82b89f6a2b
SHA25619a4b6789165a62d2d52af5a5c8b317dce51a8d4866a164b3be3ced381f98b90
SHA51208376acad7129dcd461128a77e141aaf5693a017ec1a4e2280944aa23ba9ff8376c9a72134baf1719c3e3badcfd480d3b9edd98fd5d90cd6a096a40adb55113e
-
Filesize
91KB
MD53d1a186bb8e9f17300df9ecb04e1617f
SHA14b3848f3cf43d80f468e7e15b4ec7cba4529d0dc
SHA256d7b6bfd2aeba125441dde40b13ffe95fac0c9c17fd3443036d5d1041ecb5f230
SHA51296951946e57fbfe45470f6c1709e1ec4c1fc9b61997225aa2fdb8149aa64f64515217814fef121136b10804f32a84c209da7cd2607d1e550c1e860f6243c52ec
-
Filesize
91KB
MD57190b38b2940345ace84e2c3356b8d14
SHA1e26c5c3b2a7f5500093735007cf85193c29a4f70
SHA256be5faaafb0bc258d13ec49320f2b60532e129b534e08ef506826c57a678b5d8e
SHA5123ee61933845aaf9fe59952cc897d4947edb7b7a79c9713c0ce26cfdaec4f6293eaf6cb739cf3f9e7505cac17ad8feb65a578d0b12a1195c3627bfe3efd248332
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
91KB
MD508ff110ff32f6817ae2b1980bd8a6059
SHA1b8321f5602f4ab0247a58b05058e4023e69ffbda
SHA256ae240ab44ec8650d9f0efb236210cf66f7b576584fdaf58c5d490fdf8304625c
SHA5128283c5c6ef045b65bf1603ccf4063e0a396be6e792fbb5e5354a5e722b3377b73a38a9a7e93f26c05b995dc3550f97be23453027fc788734e43aa3bb8e074971
-
Filesize
91KB
MD544420f206c3da33898d8476fd9ce24a5
SHA19eff89b58ac646c70e74123d035620720fc36a8c
SHA256313d6a61b173fa211bf5e9ac44a6c801117ca2abb93cc5dedac0ca2b5193122d
SHA512696879a8e0084094f3eed65f1bfe5d6bcc7686ef3bb3d0524cc4d33392b8b1531b69ba0c8f20071a797f2dc8a977d0c60d977de3542ea5ef2108640381af7ad8
-
Filesize
91KB
MD58b74c71f06b8c10a43df5f338beb3852
SHA14f04c9712abdd68089f7e04cec96bf4992f05032
SHA256b04b5c519245d38bad0403471127fa45972f25047c5a087042df55e1bc8ecd23
SHA5128d5d9b11eeb217ead6090354c920d28f4201504876d133e620b14f4a01db216483f7a7b3fae6bce0811f63904ec56aab654f3b46ced721d6d2d1d2ecd36a2acb
-
Filesize
91KB
MD599bfe8511257d272b35e1ea8615cd578
SHA19db7daeaccc8c1d740c1e2d9768956d7384731cf
SHA2563472bfa0cbe00741010d61ce077ecf63a4a7e5455375fd9817fa1ac9f3ccc94f
SHA5121f006dc41bc3aef461b4d26614451e5351581900c6b73ba460c84f015ac8616d595262c3521174bc96d9290e8d87c17a07415479fefd25dccf686726f4302f30
-
Filesize
91KB
MD5cf60e2f9cebc828575125c68ddbd106a
SHA1506380afc378b29aced025d05abecadacd9351fd
SHA25678118668735635081af03a88d32a19c9722af1fc69654ff69a259fb33075cef7
SHA512bb5b13f6faa5a84840a164ac6eee8d9fca8ccf80e1754dca648214fe8eab16d190f146dc0d4b18a71060037a9429ecb0b3586b304bcfb727c8ca2986b4cd714a