lucastealer | 916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
Size

4.6MB
MD5

07bda3ceff510882df3327d40941aed0
SHA1

8883b99eb53e69dea6ca11a958865846aa1714a8
SHA256

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c
SHA512

803bc046a5de28dcca0660f81adec585c49a46a2ae837c45d495c39805c5a313bce6d51a76f1db46df6d4715488221c0fb18a9aab2e76833faf42f3b9e19d9b3
SSDEEP

98304:z0trbTA1UjXLW6jRhdGVQguhhW31ZYit7nW:zac1UjL5LdGVzu+lHW

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 11 IoCs

Processes:

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeGPZJGM.exeTBPAQT.exegpzjgm.exe icsys.icn.exeexplorer.exe

pid	process
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2596	icsys.icn.exe
2808	explorer.exe
2564	spoolsv.exe
1748	svchost.exe
2420	spoolsv.exe
1608	GPZJGM.exe
884	TBPAQT.exe
2628	gpzjgm.exe
2432	icsys.icn.exe
1092	explorer.exe

Loads dropped DLL 25 IoCs

Processes:

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe TBPAQT.exeGPZJGM.exeicsys.icn.exe

pid	process
2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
2596	icsys.icn.exe
2596	icsys.icn.exe
2808	explorer.exe
2808	explorer.exe
2564	spoolsv.exe
2564	spoolsv.exe
1748	svchost.exe
1748	svchost.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
884	TBPAQT.exe
1608	GPZJGM.exe
1608	GPZJGM.exe
1608	GPZJGM.exe
1608	GPZJGM.exe
2432	icsys.icn.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skyp\\Microsoft Update.lnk"	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	autoit_exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exesvchost.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe icsys.icn.exeexplorer.exesvchost.exe

pid	process
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2596	icsys.icn.exe
2808	explorer.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
2808	explorer.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe
2808	explorer.exe
2808	explorer.exe
1748	svchost.exe
1748	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2808 explorer.exe
1748 svchost.exe

pid	process
2808	explorer.exe
1748	svchost.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeGPZJGM.exeicsys.icn.exeexplorer.exe

pid	process
2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
2596	icsys.icn.exe
2596	icsys.icn.exe
2808	explorer.exe
2808	explorer.exe
2564	spoolsv.exe
2564	spoolsv.exe
1748	svchost.exe
1748	svchost.exe
2420	spoolsv.exe
2420	spoolsv.exe
2808	explorer.exe
2808	explorer.exe
1608	GPZJGM.exe
1608	GPZJGM.exe
2432	icsys.icn.exe
2432	icsys.icn.exe
1092	explorer.exe
1092	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

description	pid	process	target process
PID 2076 wrote to memory of 2188	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
PID 2076 wrote to memory of 2188	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
PID 2076 wrote to memory of 2188	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
PID 2076 wrote to memory of 2188	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
PID 2076 wrote to memory of 2596	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	icsys.icn.exe
PID 2076 wrote to memory of 2596	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	icsys.icn.exe
PID 2076 wrote to memory of 2596	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	icsys.icn.exe
PID 2076 wrote to memory of 2596	2076	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe	icsys.icn.exe
PID 2596 wrote to memory of 2808	2596	icsys.icn.exe	explorer.exe
PID 2596 wrote to memory of 2808	2596	icsys.icn.exe	explorer.exe
PID 2596 wrote to memory of 2808	2596	icsys.icn.exe	explorer.exe
PID 2596 wrote to memory of 2808	2596	icsys.icn.exe	explorer.exe
PID 2808 wrote to memory of 2564	2808	explorer.exe	spoolsv.exe
PID 2808 wrote to memory of 2564	2808	explorer.exe	spoolsv.exe
PID 2808 wrote to memory of 2564	2808	explorer.exe	spoolsv.exe
PID 2808 wrote to memory of 2564	2808	explorer.exe	spoolsv.exe
PID 2564 wrote to memory of 1748	2564	spoolsv.exe	svchost.exe
PID 2564 wrote to memory of 1748	2564	spoolsv.exe	svchost.exe
PID 2564 wrote to memory of 1748	2564	spoolsv.exe	svchost.exe
PID 2564 wrote to memory of 1748	2564	spoolsv.exe	svchost.exe
PID 1748 wrote to memory of 2420	1748	svchost.exe	spoolsv.exe
PID 1748 wrote to memory of 2420	1748	svchost.exe	spoolsv.exe
PID 1748 wrote to memory of 2420	1748	svchost.exe	spoolsv.exe
PID 1748 wrote to memory of 2420	1748	svchost.exe	spoolsv.exe
PID 2188 wrote to memory of 1608	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	GPZJGM.exe
PID 2188 wrote to memory of 1608	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	GPZJGM.exe
PID 2188 wrote to memory of 1608	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	GPZJGM.exe
PID 2188 wrote to memory of 1608	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	GPZJGM.exe
PID 2188 wrote to memory of 884	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	TBPAQT.exe
PID 2188 wrote to memory of 884	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	TBPAQT.exe
PID 2188 wrote to memory of 884	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	TBPAQT.exe
PID 2188 wrote to memory of 884	2188	916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe	TBPAQT.exe
PID 1748 wrote to memory of 2284	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2284	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2284	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2284	1748	svchost.exe	at.exe
PID 1608 wrote to memory of 2628	1608	GPZJGM.exe	gpzjgm.exe
PID 1608 wrote to memory of 2628	1608	GPZJGM.exe	gpzjgm.exe
PID 1608 wrote to memory of 2628	1608	GPZJGM.exe	gpzjgm.exe
PID 1608 wrote to memory of 2628	1608	GPZJGM.exe	gpzjgm.exe
PID 1608 wrote to memory of 2432	1608	GPZJGM.exe	icsys.icn.exe
PID 1608 wrote to memory of 2432	1608	GPZJGM.exe	icsys.icn.exe
PID 1608 wrote to memory of 2432	1608	GPZJGM.exe	icsys.icn.exe
PID 1608 wrote to memory of 2432	1608	GPZJGM.exe	icsys.icn.exe
PID 2432 wrote to memory of 1092	2432	icsys.icn.exe	explorer.exe
PID 2432 wrote to memory of 1092	2432	icsys.icn.exe	explorer.exe
PID 2432 wrote to memory of 1092	2432	icsys.icn.exe	explorer.exe
PID 2432 wrote to memory of 1092	2432	icsys.icn.exe	explorer.exe
PID 1748 wrote to memory of 2964	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2964	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2964	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2964	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2276	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2276	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2276	1748	svchost.exe	at.exe
PID 1748 wrote to memory of 2276	1748	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- \??\c:\users\admin\appdata\local\temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
  c:\users\admin\appdata\local\temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\GPZJGM.exe
    "C:\Users\Admin\AppData\Local\Temp\GPZJGM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - \??\c:\users\admin\appdata\local\temp\gpzjgm.exe
      c:\users\admin\appdata\local\temp\gpzjgm.exe
      4⤵
      Executes dropped EXE
      PID:2628
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2432
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
- - C:\Users\Admin\AppData\Local\Temp\TBPAQT.exe
    "C:\Users\Admin\AppData\Local\Temp\TBPAQT.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:884
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
      - C:\Windows\SysWOW64\at.exe
        
        at 10:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2284
      - C:\Windows\SysWOW64\at.exe
        
        at 10:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\at.exe
        
        at 10:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TBPAQT.exe

Filesize
63KB

MD5
07ca9ef8ca62bdfdcb8bd9b966d60bf2

SHA1
54bbb2bfd527ec503e66fe0db1c99a568c0240e8

SHA256
124a96831880a7f4ec1c70705466b9a48723ca387f7abc12f0d28d28a18edf20

SHA512
d0f0b0d5c01c0dcbc8458e509348f7e7969b87bd6261242e3488d9fef61f7e335f1fdcc9eb4bc777045202b6ebb5fa231fc39575f3da81163f82290e20b47e85

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
b78b5638d0cf73afa5c869c5ca991501

SHA1
f3b1f9ec88d90dd73815e452b1ef22642f1d0db3

SHA256
b750df7fc7f54f51a4d804cb152b4b31248c2e55d2e5cf2bfa78434b508b78c2

SHA512
66836d0fed19d3eaa220b016169f67774fa855f93fb0f14758be7fe3a00c9f373e563cf435821f492c2db1c7edaf6c322c6ba2c64bf8d4b7794550789ba9c9a7

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
3d26fb405f68f94fa12dd7cae188c554

SHA1
9697dd979f4caa142e7c1313286cf9069f1c9010

SHA256
89302d01a438bfc7f6102294004f8df2208fe0d7ce96d0c1e02e9acbea95cb49

SHA512
605bced72b28c3bb166aef06957457505ac51bd9a47692863cdab30bc1ba26ea207fa4b05ae8062c81ea0e1b5aacf87d3a01ba93795711f03206d41ae4d8f8c6

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\916b9fb0ab4159e30b8da7485c1d6f8a8ee228f29b853348fb87ccad1e5a865c_neikianalytics.exe

Filesize
4.4MB

MD5
148f58e5483475a8b2ab82baa3bf5688

SHA1
ef3742d4c9b4c4523824c24aa38868cabcf738be

SHA256
c322e74c1a9b98c99cbb7d7022aa67d9de388caec49e498a3465b905cbe26f01

SHA512
3d5d9e6cf10bf21396206401eec7245ec2d35a86b64bc47faca9d83b0acb2c56695b51cfbd3607c3723c51dde14ee8d6b521948b7a8bc95263ddda4aabef4b73

Download Submit
\Users\Admin\AppData\Local\Temp\GPZJGM.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
57KB

MD5
2fcac0a53e9aaffa146e751f8a1e1ae4

SHA1
cc074e73c8b50cf1973185188ed2c1ca630f01a3

SHA256
62dca27bfcf3cfab9fe834ca78278be7a53d8c1b485c0fa5051a86703fe79059

SHA512
b2cf9577ab0c9d002d52de15dceb9e52e11686649e9ff5d6a9fdc565eb7ee2aa2ae735cf0c8712c1dde895792542d3d0426624cc62b11f885357646e7e5f3ac6

Download Submit
\Users\Admin\AppData\Local\Temp\gpzjgm.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
7966845e533be3b7ee6b2fc13b783818

SHA1
c479d7d26fde2783ce3436dbfeefa3bc3f8b390e

SHA256
297a8702e62994c9844fb666b33776c1c1c8b873bb2b2c1493a5040f087285ed

SHA512
da56d9e2594f452ba710c76d2928d9d90bb86c83d972a0f6bafa8b438b3cd19c11ebd75735b035ef0a7dc9b09dd7a217ea9d8ab70e4a5a76dffcf0296cbd63bd

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
481c27ac9569e89f6bece3fdd1017fc7

SHA1
f33a9d8a094537096a7927dfd1c5d58b3811bfb7

SHA256
426008e6f921ebfcc3d65e319a43bfe6240bbec9250c3cd329c86871f8a03485

SHA512
285bc7b2fec65c3445e9c6d2648e5e47201e15497b88fbc9fdfb42e75fe4df39737488614d7fd2f51141c722d694235e4a7af2de95aafd9bd290b738ecaa63b5

Download Submit
\Windows\system\svchost.exe

Filesize
207KB

MD5
aa7e5ace3529372fcba2ba3750e1914b

SHA1
8f58cba8ecfe2381bae3d69dd953de6805f23f2d

SHA256
ed228914773833107b2d8a8fe8e12cddc0447975adfadc6d30d5a51cafa15d4a

SHA512
7bb07e41def8e7e2591e9c9201dd3b986d8235d7e4ce4d9f50e2db03c93a2a923aaeb2f04da0b7a6f7d777fbc5964066b12e740a473371e130c1ece5c33be343

Download Submit
memory/884-131-0x0000000074260000-0x0000000074287000-memory.dmp

Filesize
156KB

Download
memory/1092-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-155-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/1608-156-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/1748-81-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/2076-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2076-25-0x0000000002CC0000-0x0000000002D00000-memory.dmp

Filesize
256KB

Download
memory/2076-24-0x0000000002CC0000-0x0000000002D00000-memory.dmp

Filesize
256KB

Download
memory/2188-101-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2188-100-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2420-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-72-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/2596-41-0x0000000002BD0000-0x0000000002C10000-memory.dmp

Filesize
256KB

Download
memory/2596-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download