c2b81bf162cb3984c81a0dd1ac0da57db585193bf0462e4482b29832cd0a7c36

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Size

91KB
MD5

0866a23e91b1d04e2eeeb277fc6933b0
SHA1

ba716fb175f12fa39b49b6e556b4a5a50539e9c4
SHA256

c2b81bf162cb3984c81a0dd1ac0da57db585193bf0462e4482b29832cd0a7c36
SHA512

8a1435c780d63fabf1d8fb920f9017c7ec51b4d82fe6676eb203b8449b08b18fcb66dd03a19cd81b0eb6f40b3b32bfffb7a0495b81cbc3335629a2e4ee83931c
SSDEEP

1536:jRsjdEIUFC2p79OCnouy8VDjRsjdEIUFC2p79OCnouy8VDV:jOm9CshoutdjOm9CshoutdV

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2448	xk.exe
2716	IExplorer.exe
1568	WINLOGON.EXE
2156	CSRSS.EXE
2152	SERVICES.EXE
2128	LSASS.EXE
2768	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000014251-8.dat	upx
behavioral1/files/0x00080000000143fb-108.dat	upx
behavioral1/memory/2448-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014c2d-116.dat	upx
behavioral1/memory/2448-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-117-0x0000000001F00000-0x0000000001F2F000-memory.dmp	upx
behavioral1/memory/2716-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2716-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001507a-128.dat	upx
behavioral1/memory/1568-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1568-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015083-139.dat	upx
behavioral1/memory/2156-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-146-0x0000000001F00000-0x0000000001F2F000-memory.dmp	upx
behavioral1/memory/2156-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000150d9-151.dat	upx
behavioral1/memory/2152-161-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2152-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000153ee-165.dat	upx
behavioral1/memory/1620-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2128-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001565a-176.dat	upx
behavioral1/memory/2768-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1620-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
2448	xk.exe
2716	IExplorer.exe
1568	WINLOGON.EXE
2156	CSRSS.EXE
2152	SERVICES.EXE
2128	LSASS.EXE
2768	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2448	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2448	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2448	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2448	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	28
PID 1620 wrote to memory of 2716	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2716	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2716	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 2716	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	29
PID 1620 wrote to memory of 1568	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 1568	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 1568	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 1568	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	30
PID 1620 wrote to memory of 2156	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 2156	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 2156	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 2156	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	31
PID 1620 wrote to memory of 2152	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 2152	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 2152	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 2152	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	32
PID 1620 wrote to memory of 2128	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 2128	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 2128	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 2128	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	33
PID 1620 wrote to memory of 2768	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 2768	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 2768	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	34
PID 1620 wrote to memory of 2768	1620	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0866a23e91b1d04e2eeeb277fc6933b0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2716
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
0866a23e91b1d04e2eeeb277fc6933b0

SHA1
ba716fb175f12fa39b49b6e556b4a5a50539e9c4

SHA256
c2b81bf162cb3984c81a0dd1ac0da57db585193bf0462e4482b29832cd0a7c36

SHA512
8a1435c780d63fabf1d8fb920f9017c7ec51b4d82fe6676eb203b8449b08b18fcb66dd03a19cd81b0eb6f40b3b32bfffb7a0495b81cbc3335629a2e4ee83931c

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
e725283af656d024e86dddc41ac7a32d

SHA1
a48f08a8326aa0d38e5d403a07535f3c652c2fab

SHA256
2751e3a651b8f4ed7e1abe2be1b80738ec149cacc93682c6aabeb67a84e5c3f0

SHA512
4a0942f34ae6f53c3dfbab7429edb5124e5f49e7d72eab65266be9f2ae0ccde7520c76afe8ef6bbc1e008f22a9ac1d1101f354e01c9eecc2eaa2450e7c899a85

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c06b8d78cba5c8fbcb04a4c755f00552

SHA1
f934b6a28fee100516bcd525ee98ed6fcaa8a066

SHA256
a8569616b65ad5859de4f1e0b6d16208bcd7665f73c233f933b92913d238cff5

SHA512
572c949df5e6df52a11c79c00b3d3efa89e72ea02f542542842cf0a2061860eff354789f74799175251238d49e394544cf7e3d18f74a735d1276435a543c875a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f2bceea20f043f83d3391d17b49d60a8

SHA1
53169e0f130873c55918d9df4f1dde31ea5baea9

SHA256
b6c6fc1efd362199c8e3cf11fcec50aae29fbeaf94e4cc7aafcec1989ee64493

SHA512
b26fd9a669c302d24f548ff4344434a36edd95a2a965c37a853d5f524a80039d99646d50e6827e94ac0a45549fd7e4f864fc77ee3d9d1c444a846524cceb7fc5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
afbcab98a45da146dd9c8dac5756c21a

SHA1
a5eb7ca812b1ff5a8754cd689952c074bb0d4040

SHA256
5fb1425010a8901634baca3d0d0ef664c1fef804e907a66df8868fc645a8ed46

SHA512
bfcc87b7de26073147f6d7bcf6d97ebb897c61f1604bb164f195be529afa49f7617f210db24ed33092b5427797550b4268719b02e8d8a8a399f0783f03dccd03

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
65de7a23fef5f460507a392b97636988

SHA1
60d02a8669639adca1ceaba2c8afc10ed91fbefc

SHA256
9049a93332a752baa63c9a2555d4c49becd00c1ab08ee76a93459d7a9732f80b

SHA512
2dcd40d6b45ee3d7c7d7ceebb5919c6ca456d04c9e9e89c5fd21368212491a17e8033100d84eb72c7920c15853a73bbb4870f4719e76db541425d29e51c70575

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
34eedb2c8dd13cfe0f126cc4d9c7a0ac

SHA1
b5439391b846a7a71a43d85cc8822e8017a71a73

SHA256
529f72da796d885cee01dea2b792f1cae39a70f81398cceb7ed383c6a56f2318

SHA512
f508d136935c82701030f4019fa8b76ddfcc0578767138e8bb91f4bf7364769a4254dfae643b5112e9f291c666a6512c335db4a88bac9fdfca962e8ffb0c38cd

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
7b0071444640a0644571c3fa77aa88c1

SHA1
22e9f023a0a00f3dd395932dba12526f40cf5c3e

SHA256
43a715d8ab1cd12abc662257a75344812b43a1ace28835aec9cee2622659b349

SHA512
1760f7cc605f8844c0e1c26ca5a7bb67100abc9a0b5254daaefa207952e8feccdefe6d094a5dadf61b59688050b26ceb9ff5a21e7c2e1f0eba97d65355e80fc3

Download Submit
memory/1568-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-158-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-159-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-117-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-146-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-110-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-109-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1620-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download