61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
Size

2.7MB
MD5

4d9a1f961f123af9a70d205aadab0840
SHA1

3a13b0822fbba0a5518126e7de06d3e7ebdf00bd
SHA256

61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb
SHA512

1044ce436c414b46375492054aa911bab0c54f529a037e602a16ba88fd4be4ba086b35f52a9412d1be4071306447dfb49d51828601a329dd671fc45870e90793
SSDEEP

24576:E6UeWKwmEpuXRGEUHkT86JdNFtGvMy/E8vQsJfyqoNP1zk:E6UVKQpgo1kjJavJuufyqoNdk

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2604	winlogon.exe
2240	AE 0124 BE.exe
1668	winlogon.exe
2128	winlogon.exe

Loads dropped DLL 12 IoCs

pid	Process
1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
2240	AE 0124 BE.exe
2240	AE 0124 BE.exe
2604	winlogon.exe
2604	winlogon.exe
2128	winlogon.exe
2776	MsiExec.exe
2776	MsiExec.exe
2776	MsiExec.exe
2776	MsiExec.exe
2776	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2968	msiexec.exe
5	2968	msiexec.exe
7	2968	msiexec.exe
9	2968	msiexec.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DevicePairingFolder.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\ntprint.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOPUD.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS4000.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\mdmgen.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\TCPMonUI.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\commig.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\aecache.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_437.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00g.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnep005.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\RTL8187Se.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rasdial.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mycomput.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD135C.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\Amd64\KYC5200J.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ndptsp.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LUZ00.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\CompatProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\modemcsa.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\ql2300.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrEvIF.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netnvm64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wer.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wusa.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpb8300t.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\sti.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\OfflineFilesWmiProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cryptbase.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0340.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AdmTmpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\localsec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wshom.ocx.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NGN8H.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\KOC353X.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\Amd64\LEXC524.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\mscms.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\powercpl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\provthrd.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\credui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\efsadu.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\es-ES\PostMig.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\WPDSp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_neutral_7617862a9cc286da\mdmbug3.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\mdmgen.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\sti.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\feclient-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNB_0295.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\powershell.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fltMC.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\unimdm.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\sti.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\m4mc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\vsstrace.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ja-JP\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll	AE 0124 BE.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..e_runtime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f1c6ef3d7a7966db\iasrad.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00g.inf_31bf3856ad364e35_6.1.7600.16385_none_afdac3e7463477e2\Amd64\EP0NGW8D.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_mdmsun1.inf_31bf3856ad364e35_6.1.7600.16385_none_1f7c98965ef22a0b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9cb3d29956952e2d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..relevated.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2693542887f7d94d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3950802fa47d5cc8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_infocard.resources_b77a5c561934e089_6.1.7600.16385_it-it_d2057157b6cfc267\infocard.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..s-mdac-odbcconf-dll_31bf3856ad364e35_6.1.7601.17514_none_65fef1180c6133e5\odbcconf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..t-console.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c1381a1f0d876298\mmcshext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.tpmadmin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9724eda9f08c9d84\tpmadmin.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_6.1.7601.17514_de-de_4a81c8fb725c1a35.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_system.management.i..mentation.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_b5b1a36b9acca206\System.Management.Instrumentation.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-sxs.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7e524d44b14cc68b\sxstrace.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcplayerinterop\f7a93626b76fe66f217c19426cc5b02a\mcplayerinterop.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\bf808b9c0c44745fc6bf261c44003c7a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printer-Drivers-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73a0e46b641d0379\netcorehc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-h..-recopack.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8e3c8adf70a7b932.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..readwrite.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_54958cbf87ad2335.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.Runtime.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-mscortim_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_5b77eded0caaaee2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_7723bc0307a2c52a\comdlg32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\System.Management.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..crosoftjhengheibold_31bf3856ad364e35_6.1.7600.16385_none_baa58b03c657ca8d\msjhbd.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9a336327ca353fb0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..tional-codepage-936_31bf3856ad364e35_6.1.7600.16385_none_ceb139b2fc8fb8ed\C_936.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f47e1bd6f6571810.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-r..l-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7775f1e4e3c54a08.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_regular_expressions.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.Emit.ILGeneration.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventviewer_31bf3856ad364e35_6.1.7600.16385_none_c9e0123eb5cb9955	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ventextservice-core_31bf3856ad364e35_6.1.7600.16385_none_8049c66281fe73bd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_dot4prt.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4a9d2b6185cf54e\dot4prt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..chrecognizerdeu.ale_31bf3856ad364e35_6.1.7600.16385_de-de_4ef9697bd3b10bcc\l1031.wwd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3e30bcbd8246a17e\wscript.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_d1a2100f55014e24\SMDiagnostics.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnkm002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_87a3257675275e4f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-deviceux.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c66193be1f9bb5ba	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp004.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_74da1dd9c27a579a\hpc6300t.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_hdaudio.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_ja-jp_624db7a528903345.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..asks-sync.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1ab6f4058d9e436e\DxpTaskSync.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b270c0e96d215fb8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_data_sections.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SUA-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmzyxel.inf_31bf3856ad364e35_6.1.7600.16385_none_24c421d477088bd6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmrock5.inf_31bf3856ad364e35_6.1.7600.16385_none_7c186d56cf76c4c6\mdmrock5.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b7d82b94f046f3\compact.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_x86_common_files_system_msadc_it-it_93e640af36531734.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_1c140627131a6df3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..assistant.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcd3cafd91383411\pcaevts.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f3334dfa2d83909\prnep00e.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c55debbc3f7a9ef0\ricoh.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_37f5cfc7eafe79bf.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_scsidev.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_es-es_495600e8d556e463.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.DirectoryServices.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Configuration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_21e9d2a1c5e982b5.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnrc007.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_753d30d329783aea.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.17932_none_0ca1c10dda240617\api-ms-win-core-threadpool-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-ux-sppcc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ff2cb09a0aca3bd\sppcc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnbr003.inf_31bf3856ad364e35_6.1.7600.16385_none_4a524cd7dd4e8b07	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_503694bced118e0e	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	308	msiexec.exe
Token: SeTakeOwnershipPrivilege	308	msiexec.exe
Token: SeSecurityPrivilege	308	msiexec.exe
Token: SeCreateTokenPrivilege	2968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2968	msiexec.exe
Token: SeLockMemoryPrivilege	2968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2968	msiexec.exe
Token: SeMachineAccountPrivilege	2968	msiexec.exe
Token: SeTcbPrivilege	2968	msiexec.exe
Token: SeSecurityPrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe
Token: SeLoadDriverPrivilege	2968	msiexec.exe
Token: SeSystemProfilePrivilege	2968	msiexec.exe
Token: SeSystemtimePrivilege	2968	msiexec.exe
Token: SeProfSingleProcessPrivilege	2968	msiexec.exe
Token: SeIncBasePriorityPrivilege	2968	msiexec.exe
Token: SeCreatePagefilePrivilege	2968	msiexec.exe
Token: SeCreatePermanentPrivilege	2968	msiexec.exe
Token: SeBackupPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeShutdownPrivilege	2968	msiexec.exe
Token: SeDebugPrivilege	2968	msiexec.exe
Token: SeAuditPrivilege	2968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2968	msiexec.exe
Token: SeChangeNotifyPrivilege	2968	msiexec.exe
Token: SeRemoteShutdownPrivilege	2968	msiexec.exe
Token: SeUndockPrivilege	2968	msiexec.exe
Token: SeSyncAgentPrivilege	2968	msiexec.exe
Token: SeEnableDelegationPrivilege	2968	msiexec.exe
Token: SeManageVolumePrivilege	2968	msiexec.exe
Token: SeImpersonatePrivilege	2968	msiexec.exe
Token: SeCreateGlobalPrivilege	2968	msiexec.exe
Token: SeCreateTokenPrivilege	2968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2968	msiexec.exe
Token: SeLockMemoryPrivilege	2968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2968	msiexec.exe
Token: SeMachineAccountPrivilege	2968	msiexec.exe
Token: SeTcbPrivilege	2968	msiexec.exe
Token: SeSecurityPrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe
Token: SeLoadDriverPrivilege	2968	msiexec.exe
Token: SeSystemProfilePrivilege	2968	msiexec.exe
Token: SeSystemtimePrivilege	2968	msiexec.exe
Token: SeProfSingleProcessPrivilege	2968	msiexec.exe
Token: SeIncBasePriorityPrivilege	2968	msiexec.exe
Token: SeCreatePagefilePrivilege	2968	msiexec.exe
Token: SeCreatePermanentPrivilege	2968	msiexec.exe
Token: SeBackupPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeShutdownPrivilege	2968	msiexec.exe
Token: SeDebugPrivilege	2968	msiexec.exe
Token: SeAuditPrivilege	2968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2968	msiexec.exe
Token: SeChangeNotifyPrivilege	2968	msiexec.exe
Token: SeRemoteShutdownPrivilege	2968	msiexec.exe
Token: SeUndockPrivilege	2968	msiexec.exe
Token: SeSyncAgentPrivilege	2968	msiexec.exe
Token: SeEnableDelegationPrivilege	2968	msiexec.exe
Token: SeManageVolumePrivilege	2968	msiexec.exe
Token: SeImpersonatePrivilege	2968	msiexec.exe
Token: SeCreateGlobalPrivilege	2968	msiexec.exe
Token: SeCreateTokenPrivilege	2968	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2968	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
2604	winlogon.exe
2240	AE 0124 BE.exe
1668	winlogon.exe
2128	winlogon.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2968	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	28
PID 1732 wrote to memory of 2604	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 2604	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 2604	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	29
PID 1732 wrote to memory of 2604	1732	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	29
PID 2604 wrote to memory of 2240	2604	winlogon.exe	30
PID 2604 wrote to memory of 2240	2604	winlogon.exe	30
PID 2604 wrote to memory of 2240	2604	winlogon.exe	30
PID 2604 wrote to memory of 2240	2604	winlogon.exe	30
PID 2240 wrote to memory of 1668	2240	AE 0124 BE.exe	31
PID 2240 wrote to memory of 1668	2240	AE 0124 BE.exe	31
PID 2240 wrote to memory of 1668	2240	AE 0124 BE.exe	31
PID 2240 wrote to memory of 1668	2240	AE 0124 BE.exe	31
PID 2604 wrote to memory of 2128	2604	winlogon.exe	32
PID 2604 wrote to memory of 2128	2604	winlogon.exe	32
PID 2604 wrote to memory of 2128	2604	winlogon.exe	32
PID 2604 wrote to memory of 2128	2604	winlogon.exe	32
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34
PID 308 wrote to memory of 2776	308	msiexec.exe	34

C:\Users\Admin\AppData\Local\Temp\61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2968
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1668
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57D0BBD46E17FC52C786E1F8A429A818 C
  2⤵
  - Loads dropped DLL
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF7D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1446.tmp

Filesize
57KB

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1485.tmp

Filesize
105KB

MD5
5509621dca088ef52ffb084bd8af7eb3

SHA1
7156ecd85dad51b1f933da185a7f1346410c2a8d

SHA256
bdaa83c4f5ea72c4e81d805cdb30ad0394061e0048d926b09be9b77db74f3726

SHA512
89b43a9ef904014bec8f6c044fcc25fa00fd1b99c97c0ce6f680de2dda2a5d06b75058d96d3b0341f62c00f5316bead16c8e3978bab9373ffb95918b4c1293f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI14B5.tmp

Filesize
295KB

MD5
95ed4d4025ba60e4aa41128574895b02

SHA1
760149b78574fcbf17ef871dec76cb7f4adac99f

SHA256
25b004d5aa7b1f1c9dc4ae62ff8c8015b6a48da059483f2ab8f6458718256bd3

SHA512
0b4126a0bf274304ef0c38a462ad0999e832915ff423040746f9452d226074c7a1ffab8de1b40c32959ccdfa60e4b7d2335c014043ef5f7993a6cc2ffccd4c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1533.tmp

Filesize
207KB

MD5
c6e7c1fa4c99ac76a9484c0dc7b056d8

SHA1
a0fb23fd111fa7b5d08655a3a049359b42ad09ea

SHA256
53aff70e75afe582b5983c62bec71905617b1029721ccfa80130e1cb5b883b3d

SHA512
8de5f2fb50dee154d44b579b1e8b969c543df26ea22bd3089c8c2fe0e4e641fac67e5e101e4feaece940b3ff36d7e6d084ea2aa0e3a26543b7c92a2afcf04ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
2.7MB

MD5
d519ffc109be810f2d1596612b8b1890

SHA1
13458dcbc227780bd0e7c1ef3f0691d992bd9589

SHA256
faa633656d1f649c6d7731d13b0c09d981560841a1b736ddca16845c5a5552be

SHA512
2f2b16b8f230c46d1d5e8b328fc91ea96548841e73365fb4022fd412ce87a49c2f0032d94b900693d4388ba7463ddce63ebe4ab524efad475e8e8c651a315a4c

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1ca05dd9a829256fd297ecebb3d922f8

SHA1
3c2fd4d8d071780c8b2b15739d8795e17dd5493e

SHA256
e9d1b72d6dd30fe495815bfc1ad7a5dd5017aa10eb8785c2c00edd890a1f292c

SHA512
6b6820e8217a68d91c1b2bf36a934e7e3e4e29a744d2ee689bf85a9b6231424a0e03bc707ac7f9030d6e5ff78530203888b55d121ffc75323074b905c35e76a2

Download Submit
memory/1732-12-0x0000000004040000-0x0000000004AFA000-memory.dmp

Filesize
10.7MB

Download
memory/2240-81-0x0000000003360000-0x0000000003E1A000-memory.dmp

Filesize
10.7MB

Download
memory/2240-411-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2240-420-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2604-76-0x0000000003510000-0x0000000003FCA000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads