baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 03:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Size

91KB
MD5

8c60f460950b78393884830f30990350
SHA1

fb34db6b9fcf426c49bc3e4abbd699a161f00632
SHA256

baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48
SHA512

ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097
SSDEEP

1536:kRsjd3GR2Dxy387Lnouy8VT/Rsjd3GR2Dxy387Lnouy8VTb:kOgUXoutN/OgUXoutNb

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2384	xk.exe
2732	IExplorer.exe
2760	WINLOGON.EXE
1560	CSRSS.EXE
2280	SERVICES.EXE
1408	LSASS.EXE
2876	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015662-8.dat	upx
behavioral1/memory/2868-105-0x00000000024C0000-0x00000000024EF000-memory.dmp	upx
behavioral1/files/0x000a000000015b50-109.dat	upx
behavioral1/memory/2384-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2384-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015f23-115.dat	upx
behavioral1/memory/2732-122-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2732-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016013-126.dat	upx
behavioral1/memory/2760-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016122-137.dat	upx
behavioral1/memory/1560-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000161ee-147.dat	upx
behavioral1/memory/2280-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2280-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000163eb-166.dat	upx
behavioral1/memory/2868-167-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1408-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000164ec-172.dat	upx
behavioral1/memory/2876-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2876-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2868-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
2384	xk.exe
2732	IExplorer.exe
2760	WINLOGON.EXE
1560	CSRSS.EXE
2280	SERVICES.EXE
1408	LSASS.EXE
2876	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2384	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2384	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2384	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2384	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2732	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2732	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2732	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2732	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	29
PID 2868 wrote to memory of 2760	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2760	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2760	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 2760	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	30
PID 2868 wrote to memory of 1560	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 1560	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 1560	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 1560	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	31
PID 2868 wrote to memory of 2280	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2280	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2280	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 2280	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	32
PID 2868 wrote to memory of 1408	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 1408	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 1408	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 1408	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	33
PID 2868 wrote to memory of 2876	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2876	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2876	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	34
PID 2868 wrote to memory of 2876	2868	8c60f460950b78393884830f30990350_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8c60f460950b78393884830f30990350_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8c60f460950b78393884830f30990350_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8c60f460950b78393884830f30990350_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2384
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1408
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
5a83a6616b48bdd5599284b0ebb0ba74

SHA1
a63eb027202bfa3066ba73a8f3f5973d3a705fc1

SHA256
4b8075b1d9a07721b38ff1826427863f930a67a151f2d4d664076bb6dfe2d626

SHA512
eadc17231bc51cc2e319ae0a6e05fccc7c2850d8305acc31fa8be41b53b0ebaaa0f4d53f398ce358fac7fa4e2f9034926125c10e052c8cb86df5599c22e20075

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
8c60f460950b78393884830f30990350

SHA1
fb34db6b9fcf426c49bc3e4abbd699a161f00632

SHA256
baeb79c0e0111a0ea27f4dfe6e387ef4e5816d14c6f30cded0b027d7504bcc48

SHA512
ea935bb7383d430ecdaff3383c41c3b2c11e57808b745477978fdec211cfc3e31f2672d2dd5b384850ab4c499643caf8633fb7be59d96f4963e65d2efa03c097

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
ac08b2fbd621709d2b6b78cf346cb177

SHA1
9b30d5b7ed58deaaefea0d0bb158108ab040fa7e

SHA256
e6af55149b52eaf89a5b430e15caabe4aaf04a43971d438d63854361525895e5

SHA512
2d6a60042e182934400bff9c75818e88989c30840305c4d9e0fd758bff67cc7989e5ce914c253eedaaa2f0aeefbed19eb5e44ed08a4ac11b4c12e97ea30b87c9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
7612aef729f63e6ccfb9a50a44178dc5

SHA1
b4860e9fad4d250d33f1f0ace7e49b7fa8c6f117

SHA256
c2990d4a7147beacb5d6f09d4e62895d152a826070a6297ff4bd46a2db83783a

SHA512
00e1af491c53b88cf9fb44ce58235931db7510d79a4eb06492ebca4d0fa039da42ad6d6e77ad6430ea20c4c76dd42a0b2fd3cbcfe70c20c4fa87354fb815b8dc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
8a531446ae6f673336ee1fc45acc8cb1

SHA1
9be9de343cb77b36bf5699177f5ef7eb3a457d6e

SHA256
a4c495dfe4e641c5bb316709c053de4971345c101d2cfeda08cae1212c25279b

SHA512
e5aba1d8d442b517f24d6ef734ef63505dd32d5425a16f595fc1213b92192f554350c673ea828f5db3841d12a7b928ae351c50fde97122db1c85b04ee6ec6de3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
2d325a745e8a12e432eea748fe12aaba

SHA1
132a634801650a37bc95fc12d6a84bb456ccf021

SHA256
0174d5c784770b9951aeac43fcafea81a70b897e376bef7b5d133bbb0918df6a

SHA512
564304bf6aa8a25e8a76e17f99c8a7d18182bb963f67bf25a9c8ed1844fe6e27bad90d729ba959941014fad0f1484a77a43aeb1a9ec613a5e9d3bfe0aea361db

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
74b8065116f52c6a172ed8a50e7b6801

SHA1
1bbb61a4199b4d0b5a40e4c5b90fa414cd25ab97

SHA256
6ff67a2af739bf2d45b6e38d7dca8d2915a46f157d17ca9623d08b6eb7f814ba

SHA512
8ea8828e6cd2dfe125c2a2a0b5cd064dcfee9008a3c43169eefb2f772bc15ebbecd4fa25464bf18f6405297c5a0d101bc3a8f41b0c2680875e2b01f551704667

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
91ee621d2b0eb7193e9ccd53de79dfd0

SHA1
fdf05ec248b8869e5db085822ddc4760f5648027

SHA256
dac496d396381ef4044e38601062aac9e19af6decdeaf1ec7913e7070be8dcb9

SHA512
c96aefbbb23bb3ce7ba0ec7b276cf75ba6686450bd50e1811c9474f8dfc9d2b8068f2ec63fe5793cb2610f8b1afacfb2eae9445069a363f11be74e14c86cbd93

Download Submit
memory/1408-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-165-0x00000000024C0000-0x00000000024EF000-memory.dmp

Filesize
188KB

Download
memory/2868-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-105-0x00000000024C0000-0x00000000024EF000-memory.dmp

Filesize
188KB

Download
memory/2868-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download