0fe65dea9cdea27b8c8034b3e838066b4fb4018184056a86bd6ac6d6568ee5a4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Size

91KB
MD5

5318cf06e2b6faf72ff60333e5adcb50
SHA1

f57a55971aa98f6d7d8f83dbefe1ab294d7f2ea3
SHA256

0fe65dea9cdea27b8c8034b3e838066b4fb4018184056a86bd6ac6d6568ee5a4
SHA512

886dadff86985662f5b0676a2e522e185d64aaaa310998762e7a05a3e8358816dc3a4eb7f8f72c9988a1e2b30fee1f840b7030eecc4ecd0f4cf2c56149b948a1
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VT2Rsjdf1aM67v32Z9x5nouy8VTU:EOaHv3YpoutN2OaHv3YpoutNU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1852	xk.exe
2860	IExplorer.exe
1036	WINLOGON.EXE
1956	CSRSS.EXE
1768	SERVICES.EXE
1452	LSASS.EXE
1564	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000700000001538e-8.dat	upx
behavioral1/files/0x0008000000015b63-109.dat	upx
behavioral1/memory/1852-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015f54-115.dat	upx
behavioral1/memory/1852-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2860-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000160f3-127.dat	upx
behavioral1/memory/2860-135-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1036-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1956-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1036-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016133-147.dat	upx
behavioral1/files/0x00060000000162cc-152.dat	upx
behavioral1/memory/1956-159-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1768-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016448-170.dat	upx
behavioral1/memory/1452-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016572-175.dat	upx
behavioral1/memory/1452-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2140-178-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1564-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2140-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Mig2.scr	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
File created	C:\Windows\xk.exe	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
1852	xk.exe
2860	IExplorer.exe
1036	WINLOGON.EXE
1956	CSRSS.EXE
1768	SERVICES.EXE
1452	LSASS.EXE
1564	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1852	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 1852	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 1852	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 1852	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2860	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2860	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 2860	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	29
PID 2140 wrote to memory of 1036	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 1036	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 1036	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 1036	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	30
PID 2140 wrote to memory of 1956	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1956	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1956	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1956	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	31
PID 2140 wrote to memory of 1768	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	32
PID 2140 wrote to memory of 1768	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	32
PID 2140 wrote to memory of 1768	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	32
PID 2140 wrote to memory of 1768	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	32
PID 2140 wrote to memory of 1452	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 1452	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 1452	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 1452	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	33
PID 2140 wrote to memory of 1564	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	34
PID 2140 wrote to memory of 1564	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	34
PID 2140 wrote to memory of 1564	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	34
PID 2140 wrote to memory of 1564	2140	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5318cf06e2b6faf72ff60333e5adcb50_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2860
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1452
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
3aa98a67fd8bb5e2aa93bbde3d850622

SHA1
53faf2a928f97fc930d2d570f632b6ed4bfd6408

SHA256
290453a5683b9bbfb9c7ee2c165a8f755e126c57a99877f14cba59448badd59b

SHA512
6d2d17ab3f49d9166ce13079fffc61278cb78ccbbd146236d974aa195509d1b1de599c6135ed3d06aff0d8a4fb7aae269d527549aa9578f726da91541edd2c6c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
2b22654f0b265ee7187fc6cc0703dd4c

SHA1
b499b5871694e3e900ad35cff9154020517802fc

SHA256
a61b66a467a1737743c84395a8e99f434479e39c0e7b4669a316c0cb87d65fb3

SHA512
e7d7ca3eca53a9973eda5504d5dff104ae0a8a06784f9a7010bc94267474ebd4a511b9c5c9f821bb92cf683273fef7015bc43d0696805855d3011ab713c9c581

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
5318cf06e2b6faf72ff60333e5adcb50

SHA1
f57a55971aa98f6d7d8f83dbefe1ab294d7f2ea3

SHA256
0fe65dea9cdea27b8c8034b3e838066b4fb4018184056a86bd6ac6d6568ee5a4

SHA512
886dadff86985662f5b0676a2e522e185d64aaaa310998762e7a05a3e8358816dc3a4eb7f8f72c9988a1e2b30fee1f840b7030eecc4ecd0f4cf2c56149b948a1

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
31ac494c83cac68577ce5b9d97c73908

SHA1
c656de271eb4310713ae3c3e7c49a6d03be1fad0

SHA256
3f074c733f882afaa4e85192f6cb4c9df740706b7c5de2a32bcc6161b624bb42

SHA512
1761b7ec9113b706424839933bc750e9368649b15f234ea74b7ed1d031134fc7d7de9fdf3db5b400a19e1b5d14660bbf7fd76a805f03bbfe88ee38113d8fd70c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
4d795334d1139244da6a150367aa21e9

SHA1
c2382607eeff485b2cd0c1c87cd42736d5cd9e56

SHA256
d0341f6a5a9e8f2eafed68dc58e6fd54c087cb0571019b67b00809c749b3ddef

SHA512
72a28b1a8dba772c17dff1f53e2f932d0b2110abba036ff8530a972259ae1468eb7d1ab22d5345d30b666123128fb9b937a62eab3df1d292bbaf39aac2b72f52

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
6a516adfb53c5e2c7ee2942b11139699

SHA1
46aabddd35c151224339e8ee15f40fe58088a6c8

SHA256
fb648dc02f04436396c94e4e1317bcf8e2bc975421e433528f8dbdd085a3855c

SHA512
8f35eb99959cd9570fe950c32b52041ffdfaec4888b9ebb859cb3ea0548bda2986d7b1daa48a3dd9f41bff468e65cdf7933876e722599f730bc18b03645f6725

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
d6baefe66ef26cfaf38c3f186196ec6e

SHA1
86a3dfd7625cf7cfc974718086aa7e827d61bb33

SHA256
a139e18606388e240bc4b8df8e0e7d5102d85a34acdf67d9d457154373c0aa91

SHA512
61910e27adfba6b7b7a8dd3ce6afec08abdc61a7700cf1b25c6e1267a22255fb6724b819cad5bb76ff7c49109ac5cdecec49533815b02dede94c006abccbcae0

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
594d60336845b90739513e3998aa8598

SHA1
4c176c983b4e4d8b2dc21fd8d4abdbe00d4005fb

SHA256
18f161bcd5728d34b071bfd2c203b8bb498d7ec16b44c1d3f55f93000b87df39

SHA512
492d2e1f29a4008acc6b1201cde84c81c41433cbb2b71ed2bf4a034f70d47e704a0047f046919b8b6786f475a49ea8a58f26a2b78c203315118278b55c601922

Download Submit
memory/1036-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-110-0x00000000026D0000-0x00000000026FF000-memory.dmp

Filesize
188KB

Download
memory/2140-111-0x00000000026D0000-0x00000000026FF000-memory.dmp

Filesize
188KB

Download
memory/2140-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-133-0x00000000026D0000-0x00000000026FF000-memory.dmp

Filesize
188KB

Download
memory/2140-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download