Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
-
Size
147KB
-
MD5
5064222fe180b7105f2c889d422dd6d0
-
SHA1
67f0e38e2f66c6decc71a3adb7f652847ea0963a
-
SHA256
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8
-
SHA512
862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39
-
SSDEEP
1536:nWwaMcKOER0m9mwWAAggupnhycpDnq+5h/tDSZ15WwdAy:WzKR0xwWpWnhFpDRzSZaCAy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Shell.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Shell.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Shell.exe -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Shell.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Shell.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 46 IoCs
pid Process 1228 babon.exe 2712 IExplorer.exe 1352 winlogon.exe 1664 csrss.exe 1476 lsass.exe 2012 babon.exe 576 babon.exe 924 IExplorer.exe 2128 babon.exe 2916 IExplorer.exe 752 winlogon.exe 352 csrss.exe 892 IExplorer.exe 2228 winlogon.exe 2400 winlogon.exe 2160 csrss.exe 3060 lsass.exe 876 csrss.exe 3048 lsass.exe 3064 lsass.exe 2760 Shell.exe 2748 Shell.exe 2672 Shell.exe 2892 Shell.exe 2584 Shell.exe 2528 babon.exe 3056 babon.exe 1976 IExplorer.exe 2452 IExplorer.exe 2732 winlogon.exe 2784 csrss.exe 2552 lsass.exe 984 winlogon.exe 1780 csrss.exe 1544 lsass.exe 1112 Shell.exe 1464 Shell.exe 2232 Shell.exe 2852 Shell.exe 2448 babon.exe 552 IExplorer.exe 1296 winlogon.exe 292 csrss.exe 1392 lsass.exe 684 Shell.exe 1900 Shell.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 1228 babon.exe 1228 babon.exe 2712 IExplorer.exe 2712 IExplorer.exe 1228 babon.exe 1228 babon.exe 1228 babon.exe 1228 babon.exe 1352 winlogon.exe 1352 winlogon.exe 2712 IExplorer.exe 2712 IExplorer.exe 1352 winlogon.exe 1228 babon.exe 1228 babon.exe 1352 winlogon.exe 1352 winlogon.exe 2712 IExplorer.exe 2712 IExplorer.exe 1352 winlogon.exe 1352 winlogon.exe 2712 IExplorer.exe 2712 IExplorer.exe 2556 WerFault.exe 2556 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2556 WerFault.exe 2556 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 1476 lsass.exe 1476 lsass.exe 1476 lsass.exe 1476 lsass.exe 1664 csrss.exe 1664 csrss.exe 1476 lsass.exe 1476 lsass.exe 1476 lsass.exe 1664 csrss.exe 1664 csrss.exe 1664 csrss.exe 1664 csrss.exe 1664 csrss.exe 1432 WerFault.exe 2700 WerFault.exe 1432 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe 1432 WerFault.exe 1432 WerFault.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Shell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\U: Shell.exe File opened (read-only) \??\G: babon.exe File opened (read-only) \??\V: babon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\J: Shell.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\M: babon.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\N: Shell.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\R: babon.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\B: Shell.exe File opened (read-only) \??\G: Shell.exe File opened (read-only) \??\O: babon.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\H: Shell.exe File opened (read-only) \??\P: Shell.exe File opened (read-only) \??\T: babon.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\E: Shell.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\O: Shell.exe File opened (read-only) \??\X: Shell.exe File opened (read-only) \??\Y: Shell.exe File opened (read-only) \??\Q: babon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\U: babon.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\Z: Shell.exe -
Modifies WinLogon 2 TTPs 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf babon.exe File opened for modification C:\autorun.inf babon.exe File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\babon.scr Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File created C:\Windows\SysWOW64\shell.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File created C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\babon.scr 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File created C:\Windows\babon.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\babon.exe Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\babon.exe 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 2708 2712 WerFault.exe 29 2700 1352 WerFault.exe 30 2556 1228 WerFault.exe 28 1432 1476 WerFault.exe 32 1856 1664 WerFault.exe 31 1428 2760 WerFault.exe 52 -
Modifies Control Panel 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" Shell.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Shell.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" Shell.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" lsass.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" Shell.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 1228 babon.exe 2712 IExplorer.exe 1352 winlogon.exe 1664 csrss.exe 1476 lsass.exe 2012 babon.exe 576 babon.exe 924 IExplorer.exe 752 winlogon.exe 2128 babon.exe 2916 IExplorer.exe 2228 winlogon.exe 892 IExplorer.exe 352 csrss.exe 2400 winlogon.exe 3060 lsass.exe 2160 csrss.exe 876 csrss.exe 3064 lsass.exe 3048 lsass.exe 2760 Shell.exe 2748 Shell.exe 2672 Shell.exe 2892 Shell.exe 2584 Shell.exe 2528 babon.exe 3056 babon.exe 1976 IExplorer.exe 2732 winlogon.exe 2784 csrss.exe 2552 lsass.exe 2452 IExplorer.exe 984 winlogon.exe 1780 csrss.exe 1544 lsass.exe 1112 Shell.exe 1464 Shell.exe 2232 Shell.exe 2852 Shell.exe 2448 babon.exe 552 IExplorer.exe 1296 winlogon.exe 292 csrss.exe 1392 lsass.exe 684 Shell.exe 1900 Shell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1228 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1228 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1228 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1228 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 2712 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 29 PID 2248 wrote to memory of 2712 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 29 PID 2248 wrote to memory of 2712 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 29 PID 2248 wrote to memory of 2712 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 29 PID 2248 wrote to memory of 1352 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 30 PID 2248 wrote to memory of 1352 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 30 PID 2248 wrote to memory of 1352 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 30 PID 2248 wrote to memory of 1352 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 30 PID 2248 wrote to memory of 1664 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 31 PID 2248 wrote to memory of 1664 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 31 PID 2248 wrote to memory of 1664 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 31 PID 2248 wrote to memory of 1664 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 31 PID 2248 wrote to memory of 1476 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 32 PID 2248 wrote to memory of 1476 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 32 PID 2248 wrote to memory of 1476 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 32 PID 2248 wrote to memory of 1476 2248 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe 32 PID 1228 wrote to memory of 2012 1228 babon.exe 33 PID 1228 wrote to memory of 2012 1228 babon.exe 33 PID 1228 wrote to memory of 2012 1228 babon.exe 33 PID 1228 wrote to memory of 2012 1228 babon.exe 33 PID 2712 wrote to memory of 576 2712 IExplorer.exe 34 PID 2712 wrote to memory of 576 2712 IExplorer.exe 34 PID 2712 wrote to memory of 576 2712 IExplorer.exe 34 PID 2712 wrote to memory of 576 2712 IExplorer.exe 34 PID 1228 wrote to memory of 924 1228 babon.exe 35 PID 1228 wrote to memory of 924 1228 babon.exe 35 PID 1228 wrote to memory of 924 1228 babon.exe 35 PID 1228 wrote to memory of 924 1228 babon.exe 35 PID 1352 wrote to memory of 2128 1352 winlogon.exe 36 PID 1352 wrote to memory of 2128 1352 winlogon.exe 36 PID 1352 wrote to memory of 2128 1352 winlogon.exe 36 PID 1352 wrote to memory of 2128 1352 winlogon.exe 36 PID 2712 wrote to memory of 2916 2712 IExplorer.exe 37 PID 2712 wrote to memory of 2916 2712 IExplorer.exe 37 PID 2712 wrote to memory of 2916 2712 IExplorer.exe 37 PID 2712 wrote to memory of 2916 2712 IExplorer.exe 37 PID 1228 wrote to memory of 752 1228 babon.exe 38 PID 1228 wrote to memory of 752 1228 babon.exe 38 PID 1228 wrote to memory of 752 1228 babon.exe 38 PID 1228 wrote to memory of 752 1228 babon.exe 38 PID 1228 wrote to memory of 352 1228 babon.exe 39 PID 1228 wrote to memory of 352 1228 babon.exe 39 PID 1228 wrote to memory of 352 1228 babon.exe 39 PID 1228 wrote to memory of 352 1228 babon.exe 39 PID 1352 wrote to memory of 892 1352 winlogon.exe 40 PID 1352 wrote to memory of 892 1352 winlogon.exe 40 PID 1352 wrote to memory of 892 1352 winlogon.exe 40 PID 1352 wrote to memory of 892 1352 winlogon.exe 40 PID 2712 wrote to memory of 2228 2712 IExplorer.exe 41 PID 2712 wrote to memory of 2228 2712 IExplorer.exe 41 PID 2712 wrote to memory of 2228 2712 IExplorer.exe 41 PID 2712 wrote to memory of 2228 2712 IExplorer.exe 41 PID 1352 wrote to memory of 2400 1352 winlogon.exe 42 PID 1352 wrote to memory of 2400 1352 winlogon.exe 42 PID 1352 wrote to memory of 2400 1352 winlogon.exe 42 PID 1352 wrote to memory of 2400 1352 winlogon.exe 42 PID 1228 wrote to memory of 3060 1228 babon.exe 43 PID 1228 wrote to memory of 3060 1228 babon.exe 43 PID 1228 wrote to memory of 3060 1228 babon.exe 43 PID 1228 wrote to memory of 3060 1228 babon.exe 43 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Shell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1228 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:352
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 3763⤵
- Loads dropped DLL
- Program crash
PID:2556 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2712 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:576
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 3803⤵
- Loads dropped DLL
- Program crash
PID:2708 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2760 -
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1296
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:292
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 3965⤵
- Program crash
PID:1428 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:684
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1352 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 3563⤵
- Loads dropped DLL
- Program crash
PID:2700 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1664 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:984
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 3763⤵
- Loads dropped DLL
- Program crash
PID:1856 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1476 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2784
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 3523⤵
- Loads dropped DLL
- Program crash
PID:1432 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1112
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD55064222fe180b7105f2c889d422dd6d0
SHA167f0e38e2f66c6decc71a3adb7f652847ea0963a
SHA2562c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8
SHA512862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39
-
Filesize
147KB
MD5248e79cf8cf9d97e1db979d6ae0cc038
SHA15ced58a143d70fb1677f2a0bdb07a420cd5e11a0
SHA256d8d005ded4283792a1b1d70925fd2a6be496ee41efbb8a0b6c0d3132ef8527eb
SHA5127adfc1aff4ea57eea815081a9f55ce6203526cb9fb0c02c8e13c2ad5256519f746186e45dfe713dbda97284479ae5414b840470b44268e9e723aa6a3b7029b89
-
Filesize
147KB
MD54a3d98f25e50ef43bb204e69f24a9c62
SHA1f6fa7ba6c1756bb97f03842e8ccde77ac53884b1
SHA2561900ec57a995a5ced5d0722be7bb4b9b0f60c64f990e4c2f3eee54c9374f78a1
SHA512ee19ba21a6c5e00672e5fdc156ed3e10c9eb7bf0a09fe3c140124676f6a190b3d9537f857fe2d2714f12900a8c5d2de1e7c17b6d61f7b834c11359abcb397b0f
-
Filesize
147KB
MD5b54a0c3e291fe31da0e414f54fc41046
SHA13a7de23ee7f2f71051c1c4be70923a94c5b9b1b5
SHA256f7b32dd3fc4213cd3fe7816a034003002d509888506ca5264bc3ac0a4ac69152
SHA512bf4f4f0c906e3d9712a14b2deb9532bdffc8a8f89f576bd4916abcf0a39792b6568e751acdef9d6706b03f8ab680cc81968c3bd28ac5659667a6ab024bab4599
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
147KB
MD5e03521fbfd91fb1899c3039b680746cc
SHA1bd65fb6102cb725be4056045891b0609847889de
SHA25643b985ae8c75eeff6b26f05458ef0ec6ef7294b11d5189589142f115a49650d8
SHA5121c4f224f91ad9efecbef486455e338e5d3480505e44f76ed9172892c999a5aa42705fa75d98b9456097c06759da318e8052396d98c135690155c496e78a91ff1
-
Filesize
147KB
MD54f65eb5aeebd02314c18a0abb0b2a5eb
SHA10b92fefb792ef0ed234ff9f2bfa4a6ccb08db437
SHA256c39ec6f254e42eddbd140f11186b42c92f86b56b5338e5b529ccdd082e243261
SHA5120c5c0c91576b09a744d175b85208200c70bb6ed5a226e14b08ef850125a3f4f0d93912efc93c5d825dbabaef3a116356a33f1ed04f0e46917207bfc3e324f9cb
-
Filesize
147KB
MD5e53afdd44bf6944fc56612875c04b96d
SHA1d49fb4771bbf4a5056e1abcd93b8702af610570b
SHA25611b0c0f044e5ec7a171435c2e370ba2ceac73fa8a6856f12f1acf3b240e703ad
SHA51257299388882d634f21e5884712d3c43f055ac69705adad83d489f3af7a966f69884c2c26b4f3f4ba715b89388523f1b928a54d83d18a4a543f18c9d0b0f44ba3
-
Filesize
147KB
MD5a39a4ee05d2d497b20ad555b0a3cf363
SHA18c1ac4414e70ebbb8ac75847ec85a7cd41cffaa7
SHA256671a363eae7d6b8107ce1cb763d4b86361e781f7822d2cb1299723f64edeb241
SHA512df27ab62cbedc88f295a5ac65b03fdca5f470e14efacffa7cff36f8f674dd012a0ec1b19390b73467450586ef151b4d1dffa3cd515f1a2c123fc0d8b80047772
-
Filesize
147KB
MD556a7ccd3225f2a74e6d59afd0991655a
SHA160a4761400afcbcdd9f86b2a5f3ebd71bf74502f
SHA2564ff32ac63c588c53d91e5a08609dad739d66fb3533f4d8a23cfa1f7b28328cc3
SHA5128d544266c1ee64c455360f79c204e9c3aaff38ffbb4013411c59246d571ee8cefa4b81ef5e3d91165b9a254ca1c03aa23c057314133bd6adbe6cf1f71776be4e
-
Filesize
147KB
MD5a85e6a5c026999949da7de0e9ebae3f9
SHA14a445cd9e61bd67a95c6473a822a9dce03fbbd14
SHA256b17725f2471c488b78a32053a26c878f96ec7df9bd65173a5d7484c69a94a72e
SHA512a7ed59d4fd1ab3c7fbbd04b2d80cb8431678f382efab4a1864ca0bf6176d01dc3f33dc8f5722811737eba5cfa954e026e161a84b1540adc9432dc871650f4677
-
Filesize
147KB
MD56d672c40fec44ec73af195ab696bfe01
SHA1c521e3521b85fee2b88a1e175ca7fca96e073fca
SHA256bd666f3ccf4dd0e6f0a5346a5b0f540f7c487f8680cecc3110de9adb69ab8500
SHA5122d71857cc5049d9feaaa66974ffdf69cef5284043106302ab734c3aed8b615eceac0eda994c8a9f1c71b71cc96240150861a77d4f7a71abbdead1b64c226c31a
-
Filesize
147KB
MD5406bc2a03383bbb0b61d9363a6f9ffe6
SHA1dfc7aeefe20d9b96c495e311a2f1ac0bddd24722
SHA2568827e2e774e3c2140ec24243837732ff051281423c366809dcf496e812d377e1
SHA51283026cf4580277453f91df365037d4b8d0dc876c107909a671036e0801139983d50877afdbdb5f61835893b20cd44521e8390abdb2824685912abb1f66729af4
-
Filesize
147KB
MD52b622fadf60919a7318208954ddc9c81
SHA182092852fc93415407860a9509dbd7e4aa221ef6
SHA2560c2ae0be07515a3d0116794c100964c76506db20baa5a1caab84b1ad30f2a348
SHA51207ff4828266a63a3573e92521f38f55425c91a5f2bc728b864a42d700b5af9532bb3e63aa2a7ad94b5affebcaf0ef21dae6ff72efffe7384b2a655d80a3e5723
-
Filesize
147KB
MD5dd59f3eddbfc1b01b8278cc76fd02d3e
SHA175720c34585390037e1398eeeec02076258faef9
SHA25670735ec047dfddb6ea9b8f120bf6c0c81fe30065f895941bd995f2cbd8995aa0
SHA5120a15acad87456ce125ab36e9161f6a63067d2a1b9de750eb8f2bd681f5efa73cb6db36ea8998d95b27834a1380f241877d773dd5723b13deab22e6f9ab91efb1
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
147KB
MD5119c55713b44e6457c29361ece427cc1
SHA19263e1b5595b303744fd5d2c583eb8ddab79abef
SHA25686a6fa44e13f7b4905cf7a8d3cb83fce44314dee1e85208e27aa2b8bdd5bab74
SHA512e2c824df37e29a78c0c19df5c46bb157faec7a4886f95666bef11020f70614c515f40063c11ed4bd6ddcd012045930650a5f974c3de69fe7af8d3d1879377d1d
-
Filesize
147KB
MD580f13cf452b08e17677bad60e0db0e74
SHA1a7cf859f31fcb7d8d7c54303c921d0f3bddce763
SHA256df383c58b274d6259b74686b08a15aa38dcdaa0ff3f17cbda7c5aee05523556a
SHA51218bda701b41caba48d58e48693851abd0a1d9f3eae7e97f95b14ad33eea01cd171afc3ca01bb1d1bfdf6b44e757c7786040560c5cbda2ff344cdba049bda41e2
-
Filesize
147KB
MD56efbc9054cab5424ab7f4d930f377284
SHA1c16a8c153640354129a3d49d13ebdba5b1bac7f3
SHA256a285d929072996a3aed849cd694751c46fe30fe9de8a06a263e824730bc84d1a
SHA5124f528a1899a9dc01a77f3d40c62ec5bc0a9e7b6db093e651f017633fddc5b59839c06412f1a87e77bd73369341283b6fb33677f8715b479f1ee5c2653eaf636d
-
Filesize
147KB
MD5eedfd3170c92ef1fca9339cbdb488445
SHA1fa5d271627ffd8c98b5b723feb9a165a03cf5f0d
SHA256dd434b44c11bec5e44a1126a2d7c1d14b9c1372e17f45835ecb59c1cc75adbf7
SHA5129d65e87cb54ad3e775983c9ed05d5ef4e29f236173899ac961dea7bdefb0db38f0f6b442fb1a6f262074772ba94dbae0e708fe4916eb547d8a3ff532fca02dda