Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 09:18
Behavioral task
behavioral1
Sample
2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe
-
Size
447KB
-
MD5
2e6ebe92ab8f6419d7f19390f0239a10
-
SHA1
ed5ce71ae8ae88a1557b20397db02a5682e70dd8
-
SHA256
474e11fcc707d3afabf2fa75bd0a57a7e2f08d29a3c3b83bcc8d3c0d8054fc50
-
SHA512
6df14a6564e686a87b95beac34f9d50598bc925a39e1590eb752771694f5fd13680dbfde7e32ca7235aae48b7514afc1f400c5b18ad388dbc177ec05f4e2c227
-
SSDEEP
6144:DP+PtrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcVzjol2:DP+Pt9sKVyY3EcmIopMbv1Ochb
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2940 winlogon.exe 2836 AE 0124 BE.exe 2252 winlogon.exe 4648 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 2836 AE 0124 BE.exe 2252 winlogon.exe 4648 winlogon.exe -
resource yara_rule behavioral2/memory/1160-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x00070000000233f3-18.dat upx behavioral2/memory/1160-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2252-81-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4648-88-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2940-447-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2836-448-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2836-467-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\odbc32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WPDSp.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\wvpci.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\tasklist.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\Startupscan.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterDriver_v1.0.cdxml AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecConfig-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\rtwlane_13.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_50cb8ebb1c9584af\storvsc.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\occache.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-HypervisorPlatform-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-service-private-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\Win32_Tpm.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\schedcli.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA364xp_ssku_DE_0524.bin AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en\AuthFWWizFwk.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\srmshell.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Windows.ApplicationModel.Store.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Keywords\ti_dnn_fast_de-DE.table AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wimgapi.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_holographic.inf_amd64_6ab9629b23deb837\c_holographic.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\LE_CTL_ar6320_3p0_NFA344a_highTX_D.bin AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\iasacct.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-PowerShell-Module-HyperV-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\c_fsquotamgmt.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\dtsh.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VSP-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms007.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\fr-FR\MSFT_ScriptResourceStrings.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dmprocessxmlfiltered.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wincredui.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_0406b31e81bea0d1\mdmbw561.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\wGenCounter.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migration\commig.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\clip.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDARMW.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-ServerCommon-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\TSGenericUSBDriver.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\listsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\scrptadm.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1 AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-UltimatePortableDeviceFeature-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\ActionCenter.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sppui\phone.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCacheStatus.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\InkObjCore.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cmbatt.inf_amd64_554d46f6008bc631\CmBatt.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Speech\Common\es-ES AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..sumercore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_22073328270f03e3\pdh.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_772f0f365eca5ecb\memtest.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_mdmvv.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_4936f51683c40d90\mdmvv.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\SplashScreen.scale-400.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_44a3afab1196c3c8.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_bitlocker_it-it_27c6ddc910a3f728.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_nulhprs8.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_73348c1663fd8d7f.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..compressionbinaries_31bf3856ad364e35_10.0.19041.1_none_5fc38565355f0ba8 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3308ba5654d5f24 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-regsvr32.resources_31bf3856ad364e35_10.0.19041.1_de-de_2645b05811795141.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-networkprofile_31bf3856ad364e35_10.0.19041.746_none_60e946790955ce95\netprofm.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..owershell.resources_31bf3856ad364e35_10.0.19041.1_en-us_84bc5f488e890c95.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft.windows.kpsclient_31bf3856ad364e35_10.0.19041.1_none_5292b41087e14cd2.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\common-button-template.html AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_512e9d368c70b758\r\iexplore.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_modemcsa.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0bc9a62ab8a0899b\modemcsa.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v3.0_windows_communication_foundation_e07323de19ff1b52.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_wsatconfig.resources_b03f5f7f11d50a3a_4.0.15805.0_es-es_d837abeb406196dc\WsatConfig.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\circlass.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ers-assoc.resources_31bf3856ad364e35_10.0.19041.1_es-es_d68b7de34d617444.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-desk.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_3a8c2ab6460b85a6 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..-internal.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e15a1a6e70338b9c AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..n-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_f4d1cbba8cdc6ccb\PerceptionSimulationService.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_de-de_433a40b696028b91 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_10.0.19041.1_it-it_b39e98d9d2143c2a\CbsProvider.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.DeveloperLicense.Commands.Resources AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ations-srumprovider_31bf3856ad364e35_10.0.19041.1_none_78ba92e75ec47f08\wpnsruprov.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..package-managed-api_31bf3856ad364e35_10.0.19041.153_none_5ed8a2e007374256\r\provpackageapi.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_11.0.19041.1_it-it_bf074021ac98aeaf\msfeedsbs.mfl AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e-cleanup.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ed38c8035223da9c\scavengeui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-d..4-payload.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_67be767c76ea89de\dpwsockx.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..tcapture-powershell_31bf3856ad364e35_10.0.19041.1_none_4bf902d1685e1d06\MSFT_NetEventVmSwitch.cdxml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-apis_31bf3856ad364e35_10.0.19041.488_none_adf7d867e27e5e41\f\smbwmiv2.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_2e31e8eed4b770c3\r\mofcomp.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_c_usbfn.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d088999d27449a54.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..ty-common.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ec8e9b8a4d971909.manifest AE 0124 BE.exe File opened for modification C:\Windows\INF\usbhub\usbperfsym.h AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..ation-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_aeb4cc0d26b55863 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sensors-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b5879568aa66a746 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_10.0.19041.1_de-de_d80f8129dd3366a6\intl.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4clientcorecomp.resources_31bf3856ad364e35_10.0.15805.0_es-es_765c3c4b51e37b49\error.aspx.es.resx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-videodiagnostic_31bf3856ad364e35_10.0.19041.1_none_32d33597de3b6dbf\RC_viddrv_displaytopology.ps1 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_multimedia-voiceactivationmanager_31bf3856ad364e35_10.0.19041.746_none_bf2a1e28223c5f57.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\InstallUtil.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerToast.scale-400_contrast-white.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.powershell.v3.common_31bf3856ad364e35_10.0.19041.1_none_4d7ba8a62302e970\ITPro.xsd AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mirage_31bf3856ad364e35_10.0.19041.1151_none_32c7db5b89038d04\f\Windows.Mirage.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..formers-shell-extra_31bf3856ad364e35_10.0.19041.1_none_43e13ea56429a018\shtransform.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\mvumis.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeprovisioningentry-data.js AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_it-it_461e8cfcfbd8e37c\wizardAuthentication.ascx.it.resx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-tcpip-driver.resources_31bf3856ad364e35_10.0.19041.1_en-us_3ef517d861ab8bfd\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..l-keyboard-0000041f_31bf3856ad364e35_10.0.19041.1_none_bf08c1df28da0b94.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..-socialrtcomponents_31bf3856ad364e35_10.0.19041.746_none_c3d092cb5e78a6ff\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-m..shape-rll.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdf9a95dc69334ac\msaddsr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..-base-mof.resources_31bf3856ad364e35_10.0.19041.1_en-us_569b37de4343f2d2 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.19041.546_none_f2f7962fafb5066b.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_system.management.instrumentation_b77a5c561934e089_10.0.19041.1_none_e1bb2d6980f0164d.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\x86_netfx-aspnet_roles_sql_b03f5f7f11d50a3a_10.0.19041.1_none_f38e8b63e7bd1c8f.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-quickassist.resources_31bf3856ad364e35_10.0.19041.1_el-gr_c2388b5b9d656778 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..rvice-mof.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4d8d5c3c9e8114fa\cimdmtf.mfl AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4332 msiexec.exe 4332 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 3428 msiexec.exe Token: SeIncreaseQuotaPrivilege 3428 msiexec.exe Token: SeSecurityPrivilege 4332 msiexec.exe Token: SeCreateTokenPrivilege 3428 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3428 msiexec.exe Token: SeLockMemoryPrivilege 3428 msiexec.exe Token: SeIncreaseQuotaPrivilege 3428 msiexec.exe Token: SeMachineAccountPrivilege 3428 msiexec.exe Token: SeTcbPrivilege 3428 msiexec.exe Token: SeSecurityPrivilege 3428 msiexec.exe Token: SeTakeOwnershipPrivilege 3428 msiexec.exe Token: SeLoadDriverPrivilege 3428 msiexec.exe Token: SeSystemProfilePrivilege 3428 msiexec.exe Token: SeSystemtimePrivilege 3428 msiexec.exe Token: SeProfSingleProcessPrivilege 3428 msiexec.exe Token: SeIncBasePriorityPrivilege 3428 msiexec.exe Token: SeCreatePagefilePrivilege 3428 msiexec.exe Token: SeCreatePermanentPrivilege 3428 msiexec.exe Token: SeBackupPrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeShutdownPrivilege 3428 msiexec.exe Token: SeDebugPrivilege 3428 msiexec.exe Token: SeAuditPrivilege 3428 msiexec.exe Token: SeSystemEnvironmentPrivilege 3428 msiexec.exe Token: SeChangeNotifyPrivilege 3428 msiexec.exe Token: SeRemoteShutdownPrivilege 3428 msiexec.exe Token: SeUndockPrivilege 3428 msiexec.exe Token: SeSyncAgentPrivilege 3428 msiexec.exe Token: SeEnableDelegationPrivilege 3428 msiexec.exe Token: SeManageVolumePrivilege 3428 msiexec.exe Token: SeImpersonatePrivilege 3428 msiexec.exe Token: SeCreateGlobalPrivilege 3428 msiexec.exe Token: SeBackupPrivilege 2480 vssvc.exe Token: SeRestorePrivilege 2480 vssvc.exe Token: SeAuditPrivilege 2480 vssvc.exe Token: SeBackupPrivilege 4332 msiexec.exe Token: SeRestorePrivilege 4332 msiexec.exe Token: SeRestorePrivilege 4332 msiexec.exe Token: SeTakeOwnershipPrivilege 4332 msiexec.exe Token: SeRestorePrivilege 4332 msiexec.exe Token: SeTakeOwnershipPrivilege 4332 msiexec.exe Token: SeBackupPrivilege 2932 srtasks.exe Token: SeRestorePrivilege 2932 srtasks.exe Token: SeSecurityPrivilege 2932 srtasks.exe Token: SeTakeOwnershipPrivilege 2932 srtasks.exe Token: SeBackupPrivilege 2932 srtasks.exe Token: SeRestorePrivilege 2932 srtasks.exe Token: SeSecurityPrivilege 2932 srtasks.exe Token: SeTakeOwnershipPrivilege 2932 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3428 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 2940 winlogon.exe 2836 AE 0124 BE.exe 2252 winlogon.exe 4648 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1160 wrote to memory of 3428 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 82 PID 1160 wrote to memory of 3428 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 82 PID 1160 wrote to memory of 3428 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 82 PID 1160 wrote to memory of 2940 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 84 PID 1160 wrote to memory of 2940 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 84 PID 1160 wrote to memory of 2940 1160 2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe 84 PID 2940 wrote to memory of 2836 2940 winlogon.exe 86 PID 2940 wrote to memory of 2836 2940 winlogon.exe 86 PID 2940 wrote to memory of 2836 2940 winlogon.exe 86 PID 2940 wrote to memory of 2252 2940 winlogon.exe 87 PID 2940 wrote to memory of 2252 2940 winlogon.exe 87 PID 2940 wrote to memory of 2252 2940 winlogon.exe 87 PID 2836 wrote to memory of 4648 2836 AE 0124 BE.exe 89 PID 2836 wrote to memory of 4648 2836 AE 0124 BE.exe 89 PID 2836 wrote to memory of 4648 2836 AE 0124 BE.exe 89 PID 4332 wrote to memory of 2932 4332 msiexec.exe 95 PID 4332 wrote to memory of 2932 4332 msiexec.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2e6ebe92ab8f6419d7f19390f0239a10_NeikiAnalytics.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3428
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD5aa4aea3c61f2c866ad638afa740d96aa
SHA19eeb30aa24a99ec7fbd90daf8a2b122f2af31982
SHA2569da94c4b791b5d73c1822801afaec76b1d150fa7ffe97dcb3465d42985b0351c
SHA512ac672de62379ea9b33263a6fa39d72faf07c38c497a27e35d48339155685ef8d8a3eedd4bfe583ff08a49cc94fa56bf9c6861bf170f8d875c1abcda75446a4a1
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
94KB
MD5c9bbc3081799a8fecfa8360c8d0ba1a9
SHA1956f852d525de269c36d356a73b43a42f839aba7
SHA2561f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f
SHA512e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522
-
Filesize
23.7MB
MD52553d0c498a39ae73fff49d9a04f1d66
SHA1a93bccc098478dc116ca5dce1a5ea662ea644399
SHA256b959db35c2e9d46f6ca712c04865cc590c4374f952ad1bf9112471e335b38c05
SHA512e60d991fe62706ed7a2980979d65478127fe81f206e68c54b23aae42b3180c3bd39a0be92b302576285304821317285df2c786ea928dbd6a44f8b37cba534c17
-
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{314b22ae-b086-44f1-b038-372afba1aa3c}_OnDiskSnapshotProp
Filesize6KB
MD52152bf1f3df52da4482c9f5cd5ee6d3b
SHA1b50af16664b6faabc262d72161ccfbf496098c89
SHA256d300d100f52edebc0828d25e530fa8534aaad1313c0eb9b625295b54766a8bc8
SHA512eeec5e4f5c1e81ef1edec85052c06b186e3bc196abedc709b16a75df5bed3e1b77cb732d0b66b61c86f0d1b38d9d224466700a7271a525c4f71804dfe50f08d8
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b