cf3772cdeab1ee5efff86ef85e9802ea9a2d2f5aa267871b30c7fab7db82392e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Size

91KB
MD5

9cf7976c0f22742385ec61caf469dd10
SHA1

a15bb47250134e5ad4b5b8a16e748dea2ead51d8
SHA256

cf3772cdeab1ee5efff86ef85e9802ea9a2d2f5aa267871b30c7fab7db82392e
SHA512

4473d4e2e9bc5c10fbb9b9e543d12deae04998b1b80074e0e8bbbb03aa0c1d81e29ab175aa104981cfaf3b98962c8194108a5b2a18337ee4f15467d54b42e899
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiGJRtlEnBHHIgabuYotV/JbJCX5SBi3:XvtYxOuYotvYQIGvtYxOuYotvYQI3

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2424	xk.exe
2756	IExplorer.exe
896	WINLOGON.EXE
1672	CSRSS.EXE
1904	SERVICES.EXE
548	LSASS.EXE
1444	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000015f1b-8.dat	upx
behavioral1/files/0x0008000000016411-108.dat	upx
behavioral1/memory/2424-113-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d0e-115.dat	upx
behavioral1/memory/2200-117-0x0000000002660000-0x000000000268F000-memory.dmp	upx
behavioral1/memory/2424-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2756-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2756-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d1f-128.dat	upx
behavioral1/files/0x0006000000016d27-139.dat	upx
behavioral1/memory/896-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1672-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d3b-154.dat	upx
behavioral1/memory/1672-151-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d40-164.dat	upx
behavioral1/memory/1904-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2200-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d44-178.dat	upx
behavioral1/memory/2200-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1444-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1444-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/548-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
2424	xk.exe
2756	IExplorer.exe
896	WINLOGON.EXE
1672	CSRSS.EXE
1904	SERVICES.EXE
548	LSASS.EXE
1444	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2424	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2424	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2424	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2424	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2756	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2756	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2756	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2756	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 896	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	30
PID 2200 wrote to memory of 896	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	30
PID 2200 wrote to memory of 896	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	30
PID 2200 wrote to memory of 896	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	30
PID 2200 wrote to memory of 1672	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	31
PID 2200 wrote to memory of 1672	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	31
PID 2200 wrote to memory of 1672	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	31
PID 2200 wrote to memory of 1672	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	31
PID 2200 wrote to memory of 1904	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	32
PID 2200 wrote to memory of 1904	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	32
PID 2200 wrote to memory of 1904	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	32
PID 2200 wrote to memory of 1904	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	32
PID 2200 wrote to memory of 548	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	33
PID 2200 wrote to memory of 548	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	33
PID 2200 wrote to memory of 548	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	33
PID 2200 wrote to memory of 548	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	33
PID 2200 wrote to memory of 1444	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	34
PID 2200 wrote to memory of 1444	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	34
PID 2200 wrote to memory of 1444	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	34
PID 2200 wrote to memory of 1444	2200	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9cf7976c0f22742385ec61caf469dd10_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2756
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
9cf7976c0f22742385ec61caf469dd10

SHA1
a15bb47250134e5ad4b5b8a16e748dea2ead51d8

SHA256
cf3772cdeab1ee5efff86ef85e9802ea9a2d2f5aa267871b30c7fab7db82392e

SHA512
4473d4e2e9bc5c10fbb9b9e543d12deae04998b1b80074e0e8bbbb03aa0c1d81e29ab175aa104981cfaf3b98962c8194108a5b2a18337ee4f15467d54b42e899

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
837cb76645103dc00ba9a2493b7ea0eb

SHA1
974b2d9e01455bbe937007b66ccdf49de9a3f4c0

SHA256
fc97a15567b3e956ac1726656a2a82a1a9f10de74b32d5c69d1530e9592a68d0

SHA512
ae8584953ea4ff7aaa18b30790dfebad1593d8ac39a4688b4dd7c30059af89e6a47547cf13447ab6d63604f9c203161e0810bda9118c1050ac22837cd6ab2316

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
116bd742e6b49a95a3f8182717a2f8ba

SHA1
21a7bae7b360cb108a7c4dfc302d60937d330b8f

SHA256
89c3ed074783a43d64433cf6f27d8f30718809a6b6c88fe085b127cb1d640a8e

SHA512
2ad3ad26f22874028cc1bcaa1475c18914c4a67b62c3390f62b0b4306bc08f0d4b1e8433153f94eb97227e0e978976d1e950f133803774d7c00c2b3f609533a1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
501cd1f0c9ae4346cc4aa2c9f423fc8c

SHA1
a4a321f0932ca40aa8f8dbda5cbe35c13e0949bf

SHA256
d5761ee75335ffa9faa7d456aa4da0dee0f70ccc61e43faac7d4c4249061e36b

SHA512
ac01e35671eb5c49c9d1a3bb82341868f768d352bb30077894cb656d7b248ee72e95de50bde55ce186368a1106438a703b2425ca1cf5de8081fb38405d9a9934

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
65ccfac09c3993bbc670383b5b219552

SHA1
7e88569543cd890a6705671c93fcd61097d52404

SHA256
c679ab30f3ce0b1d57e057ba708b81761ec13e5421654cfcc66c8bc11cec5354

SHA512
8b1739fee912513a17af023ff8aafb52b9d91ca862473f208f514573439ae75bec23459d8673a026752844710055cdfa96c0d3158f81be41ae7299fccab55a1c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
f3995ffe5a70c80aa28568ef406ba20b

SHA1
58573b0159964e23a1b41807a887ddb137623215

SHA256
e36eb6ae1baa0de2e71b9e3e99d5b3a0388c622b6f80e8f3f37d4753a6ebb9dd

SHA512
cbf8d559f80d22635e94f04796650b1b56ae329bce6b647b35030813691a8a550c0685edc0713e9629fa9ee8ee34985578aefb338319b6c2bef90ce2ac85144c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
289c15627d40e8935fcc1636107eee19

SHA1
5b4324da0c05c971b2ce1427a9d90b0687e4d5b8

SHA256
526f62bc4aabc6f7a5cc38d9bd4d85b87a71a2e8c2b300fb79228a00c4045e70

SHA512
5a5236f7ada647fa65cf5173197dfdcbf5d63fd609e20cde4f44055ed36bf715003ddb3ee903809a3052c3b0f9f5fde36289ffc46124e4f0e7a6a6151352912f

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
2753715fb5d79dd663ae59a7e1968a1b

SHA1
8c9b4b9d7c9eed91ee56861dd29352dba2cc9f24

SHA256
b721eadaddaf7df99b04a521fd589f4960ebe6d255a89665e695d2fe139964aa

SHA512
4f10dfb215d8d5c12572842fd777547c7f99b6476eac1f3cddf7d17bd366bf5573d70006d598350bb5a38adb2468ec76869915e30e3d8e1ab519acd93491466b

Download Submit
memory/548-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/896-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-112-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-117-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-130-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-160-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-159-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-111-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2200-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-149-0x0000000002660000-0x000000000268F000-memory.dmp

Filesize
188KB

Download
memory/2424-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download