e3b1930fd53b2fa4105f98e5e47561ba6882ccf6c6ba82d5c817b0c790ed71fc

Analysis

max time kernel
145s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Size

160KB
MD5

3a3dbf3bc276338acf2c28dbd8f5a230
SHA1

a9c8774519387fb01b2a324893f3b1fe93a6877a
SHA256

e3b1930fd53b2fa4105f98e5e47561ba6882ccf6c6ba82d5c817b0c790ed71fc
SHA512

77f475425b0715393d5820ede908189f799ebb25d96e66bc2a17628f38ccad17311a969e221b8eba5918b03ee3673f93548b222de0eb3383123fadc981671785
SSDEEP

3072:TGrNIkMzZwvI8ss81GITFJ/G4bSGXO7QD56i:qrNrMzK7IhzG4mG+MD59

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	D3_08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	D3_08.exe

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 56 IoCs

pid	Process
3160	D3_08.exe
3372	IExplorer.exe
2464	WINLOGON.EXE
4488	CSRSS.EXE
4192	SERVICES.EXE
4892	LSASS.EXE
3612	SMSS.EXE
2376	D3_08.exe
1088	IExplorer.exe
3508	D3_08.exe
2520	WINLOGON.EXE
1756	D3_08.exe
3980	CSRSS.EXE
3524	IExplorer.exe
2936	IExplorer.exe
4480	WINLOGON.EXE
4304	WINLOGON.EXE
2088	SERVICES.EXE
1180	CSRSS.EXE
4364	CSRSS.EXE
3916	D3_08.exe
3788	D3_08.exe
1100	LSASS.EXE
4144	IExplorer.exe
3212	IExplorer.exe
4368	SERVICES.EXE
1084	SERVICES.EXE
1232	SMSS.EXE
748	WINLOGON.EXE
4752	WINLOGON.EXE
1572	LSASS.EXE
2124	LSASS.EXE
3764	CSRSS.EXE
1324	CSRSS.EXE
3148	SMSS.EXE
3100	SMSS.EXE
3460	SERVICES.EXE
3656	SERVICES.EXE
928	LSASS.EXE
1360	LSASS.EXE
2608	SMSS.EXE
408	SMSS.EXE
2240	D3_08.exe
3596	D3_08.exe
2376	IExplorer.exe
2016	IExplorer.exe
4032	WINLOGON.EXE
3476	WINLOGON.EXE
1684	CSRSS.EXE
3892	CSRSS.EXE
4916	SERVICES.EXE
4448	SERVICES.EXE
3124	LSASS.EXE
868	LSASS.EXE
3464	SMSS.EXE
4780	SMSS.EXE

Loads dropped DLL 7 IoCs

pid	Process
2376	D3_08.exe
3508	D3_08.exe
1756	D3_08.exe
3916	D3_08.exe
3788	D3_08.exe
2240	D3_08.exe
3596	D3_08.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\desktop.ini	D3_08.exe
File opened for modification	C:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	IExplorer.exe
File opened for modification	F:\desktop.ini	D3_08.exe
File created	F:\desktop.ini	D3_08.exe
File opened for modification	F:\desktop.ini	WINLOGON.EXE
File opened for modification	F:\desktop.ini	IExplorer.exe
File opened for modification	C:\desktop.ini	D3_08.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	D3_08.exe
File opened (read-only)	\??\X:	CSRSS.EXE
File opened (read-only)	\??\B:	LSASS.EXE
File opened (read-only)	\??\N:	D3_08.exe
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\M:	LSASS.EXE
File opened (read-only)	\??\I:	D3_08.exe
File opened (read-only)	\??\E:	D3_08.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\B:	D3_08.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\T:	CSRSS.EXE
File opened (read-only)	\??\J:	LSASS.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\P:	LSASS.EXE
File opened (read-only)	\??\Q:	SMSS.EXE
File opened (read-only)	\??\R:	D3_08.exe
File opened (read-only)	\??\K:	CSRSS.EXE
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\G:	CSRSS.EXE
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\G:	LSASS.EXE
File opened (read-only)	\??\U:	LSASS.EXE
File opened (read-only)	\??\V:	LSASS.EXE
File opened (read-only)	\??\R:	SMSS.EXE
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\X:	SMSS.EXE
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\X:	D3_08.exe
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\H:	LSASS.EXE
File opened (read-only)	\??\O:	D3_08.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\R:	LSASS.EXE
File opened (read-only)	\??\Y:	D3_08.exe
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\R:	CSRSS.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\N:	LSASS.EXE
File opened (read-only)	\??\P:	SMSS.EXE
File opened (read-only)	\??\Q:	CSRSS.EXE
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\J:	D3_08.exe
File opened (read-only)	\??\R:	WINLOGON.EXE

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	D3_08.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\shell.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	D3_08.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	D3_08.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\MrD3_08.scr	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	D3_08.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\D3_08.exe	CSRSS.EXE
File opened for modification	C:\Windows\D3_08.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	LSASS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\D3_08.exe	LSASS.EXE
File created	C:\Windows\D3_08.exe	D3_08.exe
File created	C:\Windows\D3_08.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\D3_08.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	D3_08.exe
File created	C:\Windows\D3_08.exe	CSRSS.EXE
File created	C:\Windows\D3_08.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\D3_08.exe	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	SMSS.EXE
File created	C:\Windows\D3_08.exe	WINLOGON.EXE
File opened for modification	C:\Windows\D3_08.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	IExplorer.exe

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	D3_08.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
3160	D3_08.exe
4488	CSRSS.EXE
2464	WINLOGON.EXE
4192	SERVICES.EXE
3372	IExplorer.exe
4892	LSASS.EXE
3612	SMSS.EXE

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
3160	D3_08.exe
3372	IExplorer.exe
2464	WINLOGON.EXE
4488	CSRSS.EXE
4192	SERVICES.EXE
4892	LSASS.EXE
3612	SMSS.EXE
2376	D3_08.exe
1088	IExplorer.exe
2520	WINLOGON.EXE
3508	D3_08.exe
1756	D3_08.exe
2936	IExplorer.exe
3524	IExplorer.exe
3980	CSRSS.EXE
4480	WINLOGON.EXE
4304	WINLOGON.EXE
1180	CSRSS.EXE
2088	SERVICES.EXE
4364	CSRSS.EXE
3916	D3_08.exe
3788	D3_08.exe
1100	LSASS.EXE
4144	IExplorer.exe
3212	IExplorer.exe
4368	SERVICES.EXE
1084	SERVICES.EXE
1232	SMSS.EXE
4752	WINLOGON.EXE
748	WINLOGON.EXE
1572	LSASS.EXE
2124	LSASS.EXE
3764	CSRSS.EXE
1324	CSRSS.EXE
3148	SMSS.EXE
3100	SMSS.EXE
3460	SERVICES.EXE
3656	SERVICES.EXE
928	LSASS.EXE
1360	LSASS.EXE
408	SMSS.EXE
2608	SMSS.EXE
2240	D3_08.exe
3596	D3_08.exe
2376	IExplorer.exe
2016	IExplorer.exe
4032	WINLOGON.EXE
3476	WINLOGON.EXE
1684	CSRSS.EXE
3892	CSRSS.EXE
4916	SERVICES.EXE
4448	SERVICES.EXE
3124	LSASS.EXE
868	LSASS.EXE
3464	SMSS.EXE
4780	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3160	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	83
PID 4436 wrote to memory of 3160	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	83
PID 4436 wrote to memory of 3160	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	83
PID 4436 wrote to memory of 3372	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	84
PID 4436 wrote to memory of 3372	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	84
PID 4436 wrote to memory of 3372	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	84
PID 4436 wrote to memory of 2464	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	85
PID 4436 wrote to memory of 2464	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	85
PID 4436 wrote to memory of 2464	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	85
PID 4436 wrote to memory of 4488	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	87
PID 4436 wrote to memory of 4488	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	87
PID 4436 wrote to memory of 4488	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	87
PID 4436 wrote to memory of 4192	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	88
PID 4436 wrote to memory of 4192	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	88
PID 4436 wrote to memory of 4192	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	88
PID 4436 wrote to memory of 4892	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	89
PID 4436 wrote to memory of 4892	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	89
PID 4436 wrote to memory of 4892	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	89
PID 4436 wrote to memory of 3612	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	90
PID 4436 wrote to memory of 3612	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	90
PID 4436 wrote to memory of 3612	4436	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe	90
PID 3160 wrote to memory of 2376	3160	D3_08.exe	93
PID 3160 wrote to memory of 2376	3160	D3_08.exe	93
PID 3160 wrote to memory of 2376	3160	D3_08.exe	93
PID 3160 wrote to memory of 1088	3160	D3_08.exe	94
PID 3160 wrote to memory of 1088	3160	D3_08.exe	94
PID 3160 wrote to memory of 1088	3160	D3_08.exe	94
PID 3372 wrote to memory of 3508	3372	IExplorer.exe	95
PID 3372 wrote to memory of 3508	3372	IExplorer.exe	95
PID 3372 wrote to memory of 3508	3372	IExplorer.exe	95
PID 3160 wrote to memory of 2520	3160	D3_08.exe	96
PID 3160 wrote to memory of 2520	3160	D3_08.exe	96
PID 3160 wrote to memory of 2520	3160	D3_08.exe	96
PID 2464 wrote to memory of 1756	2464	WINLOGON.EXE	97
PID 2464 wrote to memory of 1756	2464	WINLOGON.EXE	97
PID 2464 wrote to memory of 1756	2464	WINLOGON.EXE	97
PID 3160 wrote to memory of 3980	3160	D3_08.exe	98
PID 3160 wrote to memory of 3980	3160	D3_08.exe	98
PID 3160 wrote to memory of 3980	3160	D3_08.exe	98
PID 3372 wrote to memory of 3524	3372	IExplorer.exe	99
PID 3372 wrote to memory of 3524	3372	IExplorer.exe	99
PID 3372 wrote to memory of 3524	3372	IExplorer.exe	99
PID 2464 wrote to memory of 2936	2464	WINLOGON.EXE	100
PID 2464 wrote to memory of 2936	2464	WINLOGON.EXE	100
PID 2464 wrote to memory of 2936	2464	WINLOGON.EXE	100
PID 2464 wrote to memory of 4480	2464	WINLOGON.EXE	101
PID 2464 wrote to memory of 4480	2464	WINLOGON.EXE	101
PID 2464 wrote to memory of 4480	2464	WINLOGON.EXE	101
PID 3372 wrote to memory of 4304	3372	IExplorer.exe	102
PID 3372 wrote to memory of 4304	3372	IExplorer.exe	102
PID 3372 wrote to memory of 4304	3372	IExplorer.exe	102
PID 3160 wrote to memory of 2088	3160	D3_08.exe	103
PID 3160 wrote to memory of 2088	3160	D3_08.exe	103
PID 3160 wrote to memory of 2088	3160	D3_08.exe	103
PID 2464 wrote to memory of 1180	2464	WINLOGON.EXE	104
PID 2464 wrote to memory of 1180	2464	WINLOGON.EXE	104
PID 2464 wrote to memory of 1180	2464	WINLOGON.EXE	104
PID 3372 wrote to memory of 4364	3372	IExplorer.exe	105
PID 3372 wrote to memory of 4364	3372	IExplorer.exe	105
PID 3372 wrote to memory of 4364	3372	IExplorer.exe	105
PID 4488 wrote to memory of 3788	4488	CSRSS.EXE	106
PID 4488 wrote to memory of 3788	4488	CSRSS.EXE	106
PID 4488 wrote to memory of 3788	4488	CSRSS.EXE	106
PID 4192 wrote to memory of 3916	4192	SERVICES.EXE	107

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE

C:\Users\Admin\AppData\Local\Temp\3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a3dbf3bc276338acf2c28dbd8f5a230_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436
- C:\Windows\D3_08.exe
  C:\Windows\D3_08.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3160
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1088
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3980
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1100
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1232
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3372
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3508
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3524
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4304
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4364
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2124
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3100
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2464
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4480
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1180
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4368
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1572
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3148
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4488
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3788
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3212
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3764
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3460
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:928
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:408
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4192
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3916
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4144
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:748
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3656
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1360
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2608
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4892
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3596
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1684
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3124
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3464
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3612
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2016
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3476
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3892
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\D3_08.exe

Filesize
160KB

MD5
9669c6e4d2843d33f1838f6a7169c9db

SHA1
f74921cdd1c3af1a010895c2eeaf1e384baa03e0

SHA256
55b3ceba77964918db0529f78692622591064289c932ad50a5c1c892a00339e8

SHA512
803ff3eefa02d2bb4cbb16951c46df94e36c33fedc0c082be92ee99e508936211b058c6659478c4a78c6e2c39c1d1abebb8c9b014db34cc01ef06e6af595bfcc

Download Submit
C:\D3_08.exe

Filesize
160KB

MD5
02eb2484022d87e1dad0e29e20f1a19c

SHA1
5665c210f01376a3c5f5b1b977dc162b97fd14e9

SHA256
936c16ffe8a1249294bb3bdbe88ff6cb866bc11351401e4b173b09356ad8df1b

SHA512
7ce9e1c32f0ef0af1bf7c5f85df8d7b1a4ab8576850a62d1c9ea7e508e97d18673616dc720aaa706e7e6bc58fb0256ca409e58670303673d74cc7eab3a3f14e6

Download Submit
C:\D3_08.exe

Filesize
160KB

MD5
166e6db5865b6f5fd0513a420b3bd6f8

SHA1
0247742d92d6a08ae620f392435c71fb20ef4e35

SHA256
b5def8ba3f4573bd1dff9a0515dd8b1d698c233ef1c773020a66fce52c07b354

SHA512
3c19fb1d9823078cae62103adff0b56f5b538ab65cb636f829f0580a77480d42de66c2e315532276edd53f0f621b9f2bceed0c593880fad1a7739dde3a36dd13

Download Submit
C:\PuRn4m4.txt

Filesize
441B

MD5
de8b6c4c740b3046924d844032767852

SHA1
256842ccefd03f97013f51ec8bd25f842acec59a

SHA256
c8cfecfb4260f0488e4152cdaaca8854865f0e20d15e9e37cba26f81db38c195

SHA512
a08b0e866da0dbf21dae68deccd826e0a376695088c27fcddea444d01a8ca0f5cf01d282b9f2d9a4183e2503f7d2d7c850c722bd7976050b79c56feb70c6de29

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
160KB

MD5
0275418e7dca392440d49d2af5ca2aed

SHA1
01ca4301f7d7d73ae6a66765d90d82f056e686e5

SHA256
d9dc89e4f71df25e05dfe4d677d093f0b215b7aa4c71e51fb4d88a81e541b7aa

SHA512
44277e28d2ceb888b50bff6de11c863564b40c5c7f7aab3e48b61596c326f092df967ad8b547dd5d7f27e8d28ae6376140e071911b2f7f75acc96ce7ecb7732b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
160KB

MD5
d9e7d1927aef487246933982a5654617

SHA1
ebb54d5e845c5ddc1732e0f49320bd5ed7f9591e

SHA256
f42c99ccdd9f0318946b5dcc79232ad20b304389d6f7c8a5b2924631d39d684a

SHA512
ef324adf20b0d21be034332aa82060e954eb427d52addd106bdf4d4f01933163c516e0889fb84b6e5b1c24df71958db7d02a800bd035c91e67d61ed7e493650e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
160KB

MD5
8f49220844c83e577761fcb388be0e8b

SHA1
7cd4a04b505087ca5e3f7b07a817422f9b60b45b

SHA256
099efe35f1418f7d85a30624eccbf6e8b82daf3b7a2e5d36362d0340bd19a757

SHA512
025fddb8b0a88f2a8e1cf6f081a72ff4dc68f640a1e3a555b7882376b99afadd76fcdeac6e0b36b83c38a0a35c694e37e9afb3bfdc965b4ad5f3c518fefe6ee8

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
160KB

MD5
ba417a39345e3528634968d355c8265c

SHA1
2a7b2911a9bb176b74a6d77c781ec136fab0a159

SHA256
1f6bab3a36acf396d9e871141546b92e7d02005c74f6d8f55a4129af3187b1fc

SHA512
fb846d5a788050b3b70a601b9e03d2887da1528c085a4515cf78b94950ea99b76659e0e57d0aacfcd5c6855f9f474db181580fd83f81ad799f007468ed1e8351

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
160KB

MD5
3a3dbf3bc276338acf2c28dbd8f5a230

SHA1
a9c8774519387fb01b2a324893f3b1fe93a6877a

SHA256
e3b1930fd53b2fa4105f98e5e47561ba6882ccf6c6ba82d5c817b0c790ed71fc

SHA512
77f475425b0715393d5820ede908189f799ebb25d96e66bc2a17628f38ccad17311a969e221b8eba5918b03ee3673f93548b222de0eb3383123fadc981671785

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
160KB

MD5
fec4f635a26fefaaeb5fa3c5dc5aa106

SHA1
11dc861505c5453b05e9d2e2cbd810ee298c3824

SHA256
1c50c03ea89fec0b7ffc1a01d761daa625ce9b09cd95ff39eeef4068999cc956

SHA512
4170ffab7172c4a1da9bbc213bf82961684ed4b904ed7d2158cfb0a21ed5a9c304b94ddde9d0294d1a5a9fe2e9f78b0be62bd6edafb6fb53d81ab847764460de

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
160KB

MD5
77aaa728f0bfca936a55c056adca4d6d

SHA1
4c6865974bc19e3841bb69de6cccd7cf1eb1247c

SHA256
eae0ce41ff4d8120a37c4d2be8fba1d3bb14027a1825b3080a0dd5d6d1ac61b4

SHA512
aec494a0de24a137e54e38789f44c78af88324b0040e31d65d858099ba0b2cb054918f79ab7e2bb90d1cde4ca08230463a91d0d9f7ca654aa70a62d408921b5e

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
160KB

MD5
95b9ebb6f1e494af4797e430cdf101b7

SHA1
2cf73e5a16679d3519482935bec26b2b7d43285e

SHA256
df2abe1934d256c1a9945cf34424764a627224d35970c03f7442247a2a81f4db

SHA512
b3f768e1e22749668662260f97012db1f36cf882364ce4b8140e8d432ecae77e99646146b68a206ca69b9a40d15bb09027785201881ad78213b3d1403719f081

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
160KB

MD5
1b34c4df063dae5a07c783eb037598a4

SHA1
67eacb62158c6d48c00ebedc932a01aa3ac4252e

SHA256
467b9717b112cf321702b806885a57e06a20f34d2b3149b2be168bb293a74198

SHA512
bc20eeb4775590ef5f4b05b0dfb56ccdb2c6a7f72b9d6354db62b7aed6acd3f10f496a0e6f280d3306813a8da09a0ef0ede43229ed5773b6ef044c418a5e6745

Download Submit
C:\Windows\D3_08.exe

Filesize
160KB

MD5
9e74ffdad465d63124c6689371cbce89

SHA1
9f15cc483b2d3d6da55f2e4fb66ccf3480c9a35a

SHA256
5b5b43684249c72150f61449014e84b396e18ada8d03fa9492a7a196809785a8

SHA512
700b34bb1302c58012fd04518937f572e059509de24592d42da2b58b6e9005731dfd03f9ce6e64e2f0559f4a5dee66cc230617f14240c0c25b524aaa9e78c07a

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
160KB

MD5
23816b32f16e668b9286d90d2f410557

SHA1
9756777aaf4a60d4c90b53771306b4b1d8ff9274

SHA256
280d65f55b9f138e2371348f4610372fcfc38842430de62f1b76915d36a7862e

SHA512
1bc568e1eed834ddb357008ce5d6dc138106c0bf984a7c25c120cc49cd1818c7ecffde66fd0d92ab0e9fc9455c5986dd19b0d257a555d6d5e72b5d9dd1346015

Download Submit
C:\Windows\SysWOW64\MrD3_08.scr

Filesize
160KB

MD5
4413bd34e67531ed79070752ca52d07e

SHA1
68cbad7722137d55ef2f24723d9ca373164fbd89

SHA256
7461c76ff3700e8db5ef7039081ac42ef29a8c8eea7c479926c4e63f889a52b3

SHA512
009960f36752117ba4b3e9aaa5ae2633b89237a3128a6f7e2068f8d7029e17bb7667aaac256f5d4b63f7e6e36f1177d5e2ae21c72d1def68756a3488b00592f9

Download Submit
C:\Windows\SysWOW64\MrD3_08.scr

Filesize
160KB

MD5
88bd4e17596db55f2363947da7c28e86

SHA1
f9e0177498409d362409ce3916286346e7253e01

SHA256
c86d46ee00d8604503799d5bba6e25232626b59a09ca0b8b3e2eae5b0b8d5ba2

SHA512
027a0e53fc7ee7231919ed2317f340f6e4c2f2665e6bcc5ef544495a1b475ecf2c9eec620c5d07bf1dbf974607c64beb29394854d7261f853d1b6998c3db6fd2

Download Submit
C:\Windows\SysWOW64\MrD3_08.scr

Filesize
160KB

MD5
415226e9ce85c0a5a4799462abc6cb8f

SHA1
b6e370066200590461dd40225bbfc62e4f05eb17

SHA256
7c00b6595a875912fbe7b8557b0ce8fff0bff6ab74e92e87b144325835b4aec7

SHA512
0f88e0956c0b28a31fa84b296275666be0ad3e540f77f8ecb2515dacf61c8c11de0e319c472a6b0bc17e03c15362a7948fccc9248532b374b0f6b7c9778c8492

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
160KB

MD5
6d1819fd51d6027cba5175e3bab3c52e

SHA1
a5abd6c720321b06bf22df476d9c939ae8ccbab8

SHA256
3c192d20554ba6f38b228e1c38fbcfaa318a7c3157043dac9c1d3a9e4de6b454

SHA512
a9b30601635f40604ce34ffa4588ae4ae6c76ab9053685ddba8df54ada0196d1d4be25d5e03749716191c608c5401b31b35b2cea40a1c9a4e364f6c1d2bb8ee9

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
160KB

MD5
67517d115dd06efb91a9d078451feba0

SHA1
071e0dca49b29d1a8653b4b6556226260717edd2

SHA256
013994209e1f8fdb1f788c94bb847f6acfc4b640ba1e67b543326691ad17d222

SHA512
2485a43bef262901fda98eed59227814bfab43af8a9ee49925f66e159a6eabaaa3ce78387db28e2740c1e6445daed30649e398feb2baf245acb228331dee7a6d

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
160KB

MD5
1e816a10932b538102568d5c4e2865fc

SHA1
83aa4779d91d79ca861d94a69e40f19302ae89a5

SHA256
76bee2ca1868edcc2a1cb7942793a4c1226065b9ae2a1073cd79253bf7089667

SHA512
79cdca391fb1aaa2f595bfc392bace2dd65500b00de1b3d0b8f031028b5513a64d24bc7b30812d83f6c5bfb23d3cd4811fb8f01e0d5ba47234670affa0d8a6e3

Download Submit
C:\desktop.ini

Filesize
220B

MD5
12c667215c5b787494a4f6a187045451

SHA1
01f15935e141cd40a5dc0a770b838de0ad08e592

SHA256
a30c401291ad7956c20a1d70c2a58427933f9678864e58a81a5cd6bb0f0bb5cb

SHA512
b4da423404289b884d56b7d50a1a9eae8c928b2bd5ca3f9fbf35ff03d0120b1510bb0730c2ee38d1db2b70843e3ff4ad0a2a1241bdf93208f13b2a862ff54342

Download Submit