141a532522bff35c6c29f8d828a3b7e8305d53e3b0c3ecd1c9acdb0306686962

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Size

91KB
MD5

92d92095d225aa0c32c532c906104b50
SHA1

ac76e50703cec78747ae2c6d10e66e78b2b39810
SHA256

141a532522bff35c6c29f8d828a3b7e8305d53e3b0c3ecd1c9acdb0306686962
SHA512

29bcba7cdcf823b648654daa51b2cdff7779c4cdb6111073fc48d33ecab09910a2e38abfd51301cdf55a00c929ba3efc6a99647037cd4f808382d8f534a016c5
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjDRsjdLaslqdBXvTUL0Hnouy8VjU:XOJKqsout9DOJKqsout9U

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 13 IoCs

pid	Process
2356	xk.exe
992	IExplorer.exe
800	WINLOGON.EXE
2636	CSRSS.EXE
2628	SERVICES.EXE
2316	LSASS.EXE
532	xk.exe
2152	IExplorer.exe
428	WINLOGON.EXE
1136	CSRSS.EXE
1656	SERVICES.EXE
2364	LSASS.EXE
900	SMSS.EXE

Loads dropped DLL 22 IoCs

pid	Process
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015e02-8.dat	upx
behavioral1/memory/2772-106-0x00000000026A0000-0x00000000026CF000-memory.dmp	upx
behavioral1/files/0x0006000000018b15-110.dat	upx
behavioral1/files/0x0006000000018b4a-116.dat	upx
behavioral1/memory/2356-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/992-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/992-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018b73-129.dat	upx
behavioral1/files/0x0006000000018b96-138.dat	upx
behavioral1/memory/2636-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/800-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2636-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018ba2-159.dat	upx
behavioral1/memory/2628-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018d06-164.dat	upx
behavioral1/memory/2772-166-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2316-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018b15-230.dat	upx
behavioral1/files/0x0006000000018b4a-234.dat	upx
behavioral1/memory/532-241-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2152-248-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018b73-251.dat	upx
behavioral1/files/0x0006000000018b96-259.dat	upx
behavioral1/memory/428-267-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1136-271-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018ba2-272.dat	upx
behavioral1/memory/2772-278-0x00000000026A0000-0x00000000026CF000-memory.dmp	upx
behavioral1/memory/1656-292-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2364-295-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000192c9-296.dat	upx
behavioral1/memory/900-303-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/900-313-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2772-457-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\desktop.ini	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened for modification	F:\desktop.ini	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	F:\desktop.ini	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\H:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\M:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\N:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\S:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\U:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\V:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\W:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\X:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\E:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\K:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\L:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\O:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\R:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\G:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\I:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\J:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\T:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened (read-only)	\??\B:	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\xk.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ = "_AutoFormatRules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ = "_OlkTimeZoneControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ = "Exceptions"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ = "_PostItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ = "_NewItemAlertRuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\ = "_TimeZone"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ = "_AttachmentSelection"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ = "Panes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1488	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1488	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1488	OUTLOOK.EXE
1488	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
2356	xk.exe
992	IExplorer.exe
800	WINLOGON.EXE
2636	CSRSS.EXE
2628	SERVICES.EXE
2316	LSASS.EXE
532	xk.exe
2152	IExplorer.exe
428	WINLOGON.EXE
1136	CSRSS.EXE
1656	SERVICES.EXE
2364	LSASS.EXE
900	SMSS.EXE
1488	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2356	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	28
PID 2772 wrote to memory of 2356	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	28
PID 2772 wrote to memory of 2356	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	28
PID 2772 wrote to memory of 2356	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	28
PID 2772 wrote to memory of 992	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 992	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 992	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 992	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 800	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	30
PID 2772 wrote to memory of 800	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	30
PID 2772 wrote to memory of 800	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	30
PID 2772 wrote to memory of 800	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	30
PID 2772 wrote to memory of 2636	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	31
PID 2772 wrote to memory of 2636	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	31
PID 2772 wrote to memory of 2636	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	31
PID 2772 wrote to memory of 2636	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	31
PID 2772 wrote to memory of 2628	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	32
PID 2772 wrote to memory of 2628	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	32
PID 2772 wrote to memory of 2628	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	32
PID 2772 wrote to memory of 2628	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	32
PID 2772 wrote to memory of 2316	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	33
PID 2772 wrote to memory of 2316	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	33
PID 2772 wrote to memory of 2316	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	33
PID 2772 wrote to memory of 2316	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	33
PID 2772 wrote to memory of 532	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	34
PID 2772 wrote to memory of 532	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	34
PID 2772 wrote to memory of 532	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	34
PID 2772 wrote to memory of 532	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	34
PID 2772 wrote to memory of 2152	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	35
PID 2772 wrote to memory of 2152	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	35
PID 2772 wrote to memory of 2152	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	35
PID 2772 wrote to memory of 2152	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	35
PID 2772 wrote to memory of 428	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	36
PID 2772 wrote to memory of 428	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	36
PID 2772 wrote to memory of 428	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	36
PID 2772 wrote to memory of 428	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	36
PID 2772 wrote to memory of 1136	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	37
PID 2772 wrote to memory of 1136	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	37
PID 2772 wrote to memory of 1136	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	37
PID 2772 wrote to memory of 1136	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	37
PID 2772 wrote to memory of 1656	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	38
PID 2772 wrote to memory of 1656	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	38
PID 2772 wrote to memory of 1656	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	38
PID 2772 wrote to memory of 1656	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	38
PID 2772 wrote to memory of 2364	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	39
PID 2772 wrote to memory of 2364	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	39
PID 2772 wrote to memory of 2364	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	39
PID 2772 wrote to memory of 2364	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	39
PID 2772 wrote to memory of 900	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	40
PID 2772 wrote to memory of 900	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	40
PID 2772 wrote to memory of 900	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	40
PID 2772 wrote to memory of 900	2772	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe	40

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\92d92095d225aa0c32c532c906104b50_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2772
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2636
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2316
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:428
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2364
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:900

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
135ecbd695ab14db24f10fb2bffa1b28

SHA1
f56a76c6a2dffe19ca51ae6333c02eff4e451aaf

SHA256
5ed9794a366707f619f33fd0b4dae27c1817191c9d2e119cb64730b63b2a4da0

SHA512
3529138d139abf887bff1d40de114c0895d868a2a4c3b30b04acd15372a1622902351d5d0212b361c87daa5acba7b0cac6c27ac248810243204b61517ced0de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
a829f0e4aa6947866d6d8ed6d78aa1fe

SHA1
c4ddf6e46c422bcf164b357afe72b4ef4466ea0d

SHA256
3f035f8a23a207df9be8c4bb0c4e32e3b657509f3574efae480300e0bcd9f6d4

SHA512
4db953152f64ed4d002bbd211e56a1219429366de7b12a1b5b48b747321cd2a9c91f9996e36f524465211d5b5ee8f0e4b4cad3372ff73d12c45bfce26e2999d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
b84d95642c5b57c111116bed5bac7b4c

SHA1
bad370e98c4a3c7c7cde4079f693d35e220ab09e

SHA256
6312ba481aa60f661f59eb02520939d4888fe1974c9d64c57d9de508461d48a9

SHA512
a09c6984b50e10466be16796ff4b46c0bb36f931ad8b33667f6de13141dbe13cd53ee1d95ad83fcb9857237d3bad3864af29edb47af651b2e77fbde83b7b6bae

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
92d92095d225aa0c32c532c906104b50

SHA1
ac76e50703cec78747ae2c6d10e66e78b2b39810

SHA256
141a532522bff35c6c29f8d828a3b7e8305d53e3b0c3ecd1c9acdb0306686962

SHA512
29bcba7cdcf823b648654daa51b2cdff7779c4cdb6111073fc48d33ecab09910a2e38abfd51301cdf55a00c929ba3efc6a99647037cd4f808382d8f534a016c5

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
5e6b52638fc92225cfc963f8a3d2aa21

SHA1
92140c32b06c2121178622ecbae49052f83d4f3c

SHA256
139f2280735f4e5f1b5abf6f22e004d8f23cae40c77b950e9e35f7815155cf25

SHA512
fc77bfaccb85433c7dea1cc4ea9619453618a3ac527578d51484599a212c1068629b5a71ae2a6438acddf8cbc749c4b36b9fb932698e50455d7b3007e1e6aff9

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
1b183ea91d32381f8a0189c977b213ec

SHA1
91a55833e8282685fdc733e37ea566c40e72cf22

SHA256
bde63e50cf34b0ed884ccbf7e7b99bee7fe861da30c9df6e2a9c3883fc63ac47

SHA512
c9855f20df37d05ea2b5ca1d7b5df008181bacc1c0d46a30c2809aae151cde1a2e3de40bb0910f0c24fdb6835cbe2b577ca0f3988ae7da0b42ef06f69e8d9024

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
d0e339bf8cd4a6e10105ee595d120073

SHA1
cfda28c90f24ea41a19448556d024286d74a74cf

SHA256
b970695c0075dd24ca91997813a94bcfc44a0cb49d3d8de0444547b09f571dd6

SHA512
2aeb2dd59e09c742e0911345da86e995d06fbf2a2f2ec0c90f98d65f68e2fb94e8704976605fcad7a4df4e05cf5f6dfb5bb1e128c09ab45395d20bf0368ef6f0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
8a85f5779246b5700cd533b94c27c4ee

SHA1
c8045bd0c96b9a4571b30726f2a0a75df99f2180

SHA256
e05eb87f57607ae5b786e72e8eeb7d28ded38aa2d52b862aa92caec7403244f7

SHA512
ef3f9210876585577ddff57302a2940818708636c5d9b39ddeda3d6053f23b90d8b8d44ef9b7f6e79265b53a052733bb45e27fdec471d5d2f9f5940f6c3a016b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
6fb7d30f9405cc794ce1602bd9fd63f7

SHA1
f97c07bc2a9ef0f617c6761c062864c9392c9893

SHA256
2775e41911610a36803c29c558cf201a0ec2501d3aa548674b8745350a8b466a

SHA512
7ab7357f5b712c7b6c1f0d1fae00af962137500e2d1539a4a1c6fead35bb8d55da365f71d01b089139dd0e6e21f721fd61aadb73e66112969e4343dd7aca9c76

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
eec48371a91cb2101f4f109802dcf1b5

SHA1
5f6ddaacf94ec42f7412066657beb09ecbeb9cf8

SHA256
9bc24cae75af97ec62d3d4fc3eb76aa38af8cf52049e53b9bf334d8f22c095ec

SHA512
78643c6d942899def88b1f7e4ce572af18612cb41ca454c24606f3d192616c29d1fdcc8ae6fe5a0824a0684de6afa0b6de8c66eb12163b738932f98dd6981ff5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
1efaee30aa8efb18bd8039f60a16289f

SHA1
518de41d8ee01cc027217da543588f2374fe4186

SHA256
f053e212fe87e52e61d221ba841a0488e9cc435ba04e161fdd059ad69d56bef8

SHA512
aaa3583f7372872eb09ac44b211fb01142aa1367914eff054c9779e388e4a6575b92a5be0dbcba687fe39f64451d6905d270e5eb32bdbe25f11f985bd95560d7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
71e100e0010a8b890d16ecf37005038d

SHA1
8f5a7ef5f726cbfe9b35835d2bbd67bd2d3ace11

SHA256
a53e93e139a97fa64f7c17e0afbe61200451daf062b2dab8e83285b939d05df6

SHA512
5421c42a7f99ba3437c054184d295af3fa919a831a1f29de3da19436daea6fa39f519897a2424cf1ec52945050b0ffde0487c9cb970ea9f60d8193757c4323f8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
d24bd41caae20f3ebfc5b0368ce7b346

SHA1
fa4f5dca2f5b85e7c8e0de77ce94ae861cadb92f

SHA256
778dbe5e8c937efab5f941dc959f8b8143fad1c29e630ef67f5412aa6ca96cbe

SHA512
f4303ec2e6fd8455c5ddca3e24061183b59cf8feb4bd625fadc6e81a70157d11862d9af17df0d10c39078f45a08508269f169dfa4223652276208dffc3180111

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
1f5165dc6c1a7f88baa701eee9752ed2

SHA1
cb22bc87b7a061a308fb48ac6bb8c0788f5c9699

SHA256
6dbbff3492a1a61e7b71557c804d86832d29e953568adfe0b17607f83e812185

SHA512
a21d36bac61b2fa4e1ad522dc70b233baa7f7d073d23a3d10b3ae1a70f7f6cc5ecbe524ae2d6193befa96a4f3ffefea078fa7ca3f6286ad4888b7fa063f85b75

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
d6a61ae354eee3f47750a4dea2a0f3ce

SHA1
a2d28c9bb05064d855d98fbd47955a538da3115a

SHA256
92577367231435b97464a50ba6d63e0d94e245f9df091e8404d8c5c468b5e988

SHA512
f318819dca6a5385d854236d1b09517e0ecf854833627d68ffca045842e349ba99e7e27d0a4a51068e83486b08eb469114ccf0058fce7ae72407f67736ec1552

Download Submit
memory/428-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/532-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/992-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-332-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-244-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-278-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-280-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-256-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-147-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-231-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-123-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-227-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-243-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-111-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-106-0x00000000026A0000-0x00000000026CF000-memory.dmp

Filesize
188KB

Download
memory/2772-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download