Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 05:16
Static task
static1
Behavioral task
behavioral1
Sample
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe
-
Size
362KB
-
MD5
9cbc65a627d76a1b569a87dac366fbc0
-
SHA1
566e46ec048751ac74e3d149393884a5b278269b
-
SHA256
a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a
-
SHA512
e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a
-
SSDEEP
3072:VBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikE8gdkSLF2:VK5ArKjbAxXSaegUqGeGpBohMERx
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2228 autoWWIN.exe 2696 ~2EED.tmp 1804 rasaKEYs.exe -
Loads dropped DLL 3 IoCs
pid Process 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 2228 autoWWIN.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Seardown = "C:\\Users\\Admin\\AppData\\Roaming\\compocom\\autoWWIN.exe" 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rasaKEYs.exe 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2796 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2228 autoWWIN.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE 1804 rasaKEYs.exe 1200 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2796 EXCEL.EXE 2796 EXCEL.EXE 2796 EXCEL.EXE -
Suspicious use of UnmapMainImage 9 IoCs
pid Process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2228 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2228 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2228 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 28 PID 1724 wrote to memory of 2228 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 28 PID 2228 wrote to memory of 2696 2228 autoWWIN.exe 29 PID 2228 wrote to memory of 2696 2228 autoWWIN.exe 29 PID 2228 wrote to memory of 2696 2228 autoWWIN.exe 29 PID 2228 wrote to memory of 2696 2228 autoWWIN.exe 29 PID 2696 wrote to memory of 1200 2696 ~2EED.tmp 21 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31 PID 1724 wrote to memory of 2796 1724 9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9cbc65a627d76a1b569a87dac366fbc0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\compocom\autoWWIN.exe"C:\Users\Admin\AppData\Roaming\compocom\autoWWIN.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\~2EED.tmp"C:\Users\Admin\AppData\Local\Temp\~2EED.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde3⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
-
C:\Windows\SysWOW64\rasaKEYs.exeC:\Windows\SysWOW64\rasaKEYs.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD56186c22cc888081ecf6f584e5d4f6aa7
SHA1d6d75f24ed318dd6d00cc780b2926d49d4abf48c
SHA256db1590fa28b91a615d939fa430cd59d60cfc12d7da9b2fee8acbb7e7d72ffc3c
SHA51217d295231474ca7f43ee1e2b14c821f7107170a03169750114ae534d996394d0d4ba268b4438d38dadda7d169e54b55a9f6f363e7923049d97f524b4c43e97e2
-
Filesize
362KB
MD59cbc65a627d76a1b569a87dac366fbc0
SHA1566e46ec048751ac74e3d149393884a5b278269b
SHA256a9571263f1e9762aa338e9c1b272afd3d02aa41fe57990042a9b2b953d3aed6a
SHA512e186800d136accf8c0cdb4226cf6489f4178021bc1c08bd1cc4546ea8ea150b9a3d6f5a67ebe230919e2c5eb469f44d40ac753958a5860f29b4e35b577b6fa8a
-
Filesize
6KB
MD5a75b85807d7bbca99ac329c731588a13
SHA1cef931274c69e40c71b9bea41cfc61c0528400c5
SHA256436f76ee66b202e6dd933808ce7d003766da8440523e3dd8d16dba8d4b4e031f
SHA5124bc842dafecc41bd250c7e4dfbed3fab0d117d7e508f3567424ab9ba0bcd4dff55a21d187722f7c970691e07563b92c183064bec68117d21b34c0fe92ca90255
-
Filesize
172KB
MD5b6217e29e8570dc9d26715db5420c77f
SHA1c1a579bfe8a09ca79819a306259360d2f323fe73
SHA256ba2c39b8535169803c5b5614034573a6ea32ee7db14df89a82a10c47c26554f5
SHA512ec21956393f040baf4d48ee0c07e2506b21fde2885a05f06e85304fae9e40f9899b1bca1004ccaa9d8f43b6fd8fd7e31518f6a6c29fd868f88d60253172e762a