Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25/06/2024, 14:15
Behavioral task
behavioral1
Sample
6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe
-
Size
232KB
-
MD5
e63363b5821c2d5a191a739c6a1656a0
-
SHA1
4446e08d4c95444d2f761a4737a3aa48485e7bb5
-
SHA256
6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4
-
SHA512
15b1a9b3e79966c1266efdc540189a219ec954b34672476aea806d5756d60a6a9e34dbb631bcca6fe33748487ca4e900607bd75cf729ec8a2e6d9ba0488303c2
-
SSDEEP
3072:s1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ai/NjO5xbg/CSUFLTwMjs6oi/N+O7
Score
8/10
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5} 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe" 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/1848-0-0x0000000000400000-0x000000000043A000-memory.dmp upx behavioral1/files/0x0036000000014574-10.dat upx behavioral1/files/0x000700000001473f-11.dat upx behavioral1/memory/1848-12-0x0000000000400000-0x000000000043A000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\WINDOWS\SysWOW64\qx.bat 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe File created C:\WINDOWS\SysWOW64\ie.bat 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 7 IoCs
pid Process 2508 cmd.exe 2632 cmd.exe 3012 cmd.exe 2500 cmd.exe 2664 cmd.exe 1656 cmd.exe 2680 cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\WINDOWS\windows.exe attrib.exe File created C:\WINDOWS\windows.exe 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe File opened for modification C:\WINDOWS\windows.exe 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000a2dfcf0be36fb914179401e6e2bd942e251c6a9b1d6c393c3bc263cdff77b4ab000000000e8000000002000020000000733e635a1af6b74caacfc6464c7f6eab06ff25382cf5f463eca0a12d3119352290000000fd362a34253591cbd5978b4152dbae9e7dcf32ab8150407424509fca05d8190a58b0807e23f0bcf18be0a92c2fd784b2766a17f82977c9a026b4784e325f8fabfcdb01b89ae3adf01d2b67867f6280c608c28459e88c9209960ff5460ff81bfd37caa065f678e3b7870480c07964d4b2ebc25b65559956e8bb16d84fa5a98d821fbe96c2a43dc4b733aa20dcac47e4404000000027dbfa8098dfd6810443d320d6799bff1c36e7aa13b1e2dbfcd8aee7a5c04448328aecc9497da87ac7f7f7b6b328c7527555376ef921eec8c62ac7b013341e72 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000029091b7e913f37bba6de70dbd38a9acb715847ad4c45838ed18609bf76cb7977000000000e80000000020000200000003d2e4afd97eae07904d8758ed66e535bef98c6b0659b14ba99a368d9342b2a942000000094fcdabedaef3f0bf366ba42b4604ec2b18c855ffdeb155bde850b660ad98cf5400000002e9548d538f7de683233d1c260feefe422cb04deee1f52b5cb45ad0b4459036514f7be47acd4c89b429aaf28f57aace9e5bf8ffda58504c152973ce04a80d697 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425486830" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a7874c0ac7da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66E3AB71-32FD-11EF-8189-4637C9E50E53} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com" 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1372 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 1372 iexplore.exe 1372 iexplore.exe 2232 IEXPLORE.EXE 2232 IEXPLORE.EXE 2232 IEXPLORE.EXE 2232 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1848 wrote to memory of 1372 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1372 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1372 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 28 PID 1848 wrote to memory of 1372 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 28 PID 1372 wrote to memory of 2232 1372 iexplore.exe 29 PID 1372 wrote to memory of 2232 1372 iexplore.exe 29 PID 1372 wrote to memory of 2232 1372 iexplore.exe 29 PID 1372 wrote to memory of 2232 1372 iexplore.exe 29 PID 1848 wrote to memory of 2664 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 30 PID 1848 wrote to memory of 2664 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 30 PID 1848 wrote to memory of 2664 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 30 PID 1848 wrote to memory of 2664 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 30 PID 2664 wrote to memory of 2628 2664 cmd.exe 32 PID 2664 wrote to memory of 2628 2664 cmd.exe 32 PID 2664 wrote to memory of 2628 2664 cmd.exe 32 PID 2664 wrote to memory of 2628 2664 cmd.exe 32 PID 1848 wrote to memory of 1656 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 33 PID 1848 wrote to memory of 1656 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 33 PID 1848 wrote to memory of 1656 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 33 PID 1848 wrote to memory of 1656 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 33 PID 1656 wrote to memory of 2648 1656 cmd.exe 35 PID 1656 wrote to memory of 2648 1656 cmd.exe 35 PID 1656 wrote to memory of 2648 1656 cmd.exe 35 PID 1656 wrote to memory of 2648 1656 cmd.exe 35 PID 1848 wrote to memory of 2680 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 36 PID 1848 wrote to memory of 2680 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 36 PID 1848 wrote to memory of 2680 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 36 PID 1848 wrote to memory of 2680 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 36 PID 2680 wrote to memory of 1324 2680 cmd.exe 38 PID 2680 wrote to memory of 1324 2680 cmd.exe 38 PID 2680 wrote to memory of 1324 2680 cmd.exe 38 PID 2680 wrote to memory of 1324 2680 cmd.exe 38 PID 1848 wrote to memory of 2508 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 39 PID 1848 wrote to memory of 2508 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 39 PID 1848 wrote to memory of 2508 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 39 PID 1848 wrote to memory of 2508 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 39 PID 2508 wrote to memory of 2436 2508 cmd.exe 41 PID 2508 wrote to memory of 2436 2508 cmd.exe 41 PID 2508 wrote to memory of 2436 2508 cmd.exe 41 PID 2508 wrote to memory of 2436 2508 cmd.exe 41 PID 1848 wrote to memory of 2632 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 42 PID 1848 wrote to memory of 2632 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 42 PID 1848 wrote to memory of 2632 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 42 PID 1848 wrote to memory of 2632 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 42 PID 2632 wrote to memory of 3004 2632 cmd.exe 44 PID 2632 wrote to memory of 3004 2632 cmd.exe 44 PID 2632 wrote to memory of 3004 2632 cmd.exe 44 PID 2632 wrote to memory of 3004 2632 cmd.exe 44 PID 1848 wrote to memory of 3012 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 45 PID 1848 wrote to memory of 3012 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 45 PID 1848 wrote to memory of 3012 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 45 PID 1848 wrote to memory of 3012 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 45 PID 3012 wrote to memory of 2040 3012 cmd.exe 47 PID 3012 wrote to memory of 2040 3012 cmd.exe 47 PID 3012 wrote to memory of 2040 3012 cmd.exe 47 PID 3012 wrote to memory of 2040 3012 cmd.exe 47 PID 1848 wrote to memory of 2500 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 48 PID 1848 wrote to memory of 2500 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 48 PID 1848 wrote to memory of 2500 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 48 PID 1848 wrote to memory of 2500 1848 6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe 48 PID 2500 wrote to memory of 2804 2500 cmd.exe 50 PID 2500 wrote to memory of 2804 2500 cmd.exe 50 PID 2500 wrote to memory of 2804 2500 cmd.exe 50 PID 2500 wrote to memory of 2804 2500 cmd.exe 50 -
Views/modifies file attributes 1 TTPs 7 IoCs
pid Process 2040 attrib.exe 2804 attrib.exe 2628 attrib.exe 2648 attrib.exe 1324 attrib.exe 2436 attrib.exe 3004 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6a56db9007d57f13a80532d30ccb5ca2a0ca56553aa3cbbf995c7b2d37637aa4_NeikiAnalytics.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"3⤵
- Views/modifies file attributes
PID:1324
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"3⤵
- Views/modifies file attributes
PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\WINDOWS\windows.exe"3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\attrib.exeattrib +h "c:\system.exe"3⤵
- Views/modifies file attributes
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD52aeca44af176b94c90f002741aca2f9f
SHA13dcdda88cd95c43d1eb6031dc2af38828b4449b6
SHA256c52f077fd6921ded343a4761bd99e9fb5c1d8a5c0412ee48a9f2d7e0884883ac
SHA5120ded6ac07e394f59ce63559f56b89f2145984575bac9a1d4788dc7e57528b90a21504793cc646fa567d09bfd7bd71e6fe03b70a3f8bea957045e5d308ab6b9e9
-
Filesize
232KB
MD5f07c6dd525649e5de98a417b446c1504
SHA16beea0f87c75f183506ab3d0d6259d6d425bfdfd
SHA256e4a724ff7e22c903e47a296de83c76d6ea8b1f287da25e09bb69adcd46c96628
SHA51283e9456cc446aa8f07de2e8f0a986896b8d0d3c56f80644599acc7ce1271ece5bf7af5b74a61e18137e97d0eede7bd6f7001c00e2b677c5aab4a5f0de4e2e1c3