61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 07:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
Size

2.7MB
MD5

4d9a1f961f123af9a70d205aadab0840
SHA1

3a13b0822fbba0a5518126e7de06d3e7ebdf00bd
SHA256

61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb
SHA512

1044ce436c414b46375492054aa911bab0c54f529a037e602a16ba88fd4be4ba086b35f52a9412d1be4071306447dfb49d51828601a329dd671fc45870e90793
SSDEEP

24576:E6UeWKwmEpuXRGEUHkT86JdNFtGvMy/E8vQsJfyqoNP1zk:E6UVKQpgo1kjJavJuufyqoNdk

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
860	winlogon.exe
1116	AE 0124 BE.exe
776	winlogon.exe
3612	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1116	AE 0124 BE.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
3612	winlogon.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\de-DE\percsas2i.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tokenbinding.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Picker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.Audio.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\bcmdhd64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\rtl8192se.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\ipmidrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\DeviceCenter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\eventvwr.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\comsvcs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ngclocal.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\monitor.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DeviceDisplayStatusManager.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthoob.inf_amd64_c6923052f60677d9\BthOob.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fingerprintcredential.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pstorec.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\wlansvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\WMIC.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\bthspp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ntvdm64.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Composable-PlatformExtension-DragDropCommon-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisuio.inf_amd64_6096fd74a67ccd5d\ndisuio.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_66614bed5c0a20d8\pci.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.Formats.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.UI.Xaml.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmusrf.inf_amd64_ddaa09c6103bc6ce\mdmusrf.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\uk-UA\MSFT_ArchiveResource.schema.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-MFPMP-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sensorsservicedriver.inf_amd64_4761deffedf4e12e	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wecsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dpx.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\telephon.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\iscsiwmiv2.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mscpxl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\umdmxfrm.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netrtwlane_13.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d\cht4nulx64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netvchannel.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netavpna.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterPowerManagement.Format.Helper.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\networkexplorer.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\breecemc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\scmvolume.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\PSCRIPT.HLP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\nshwfp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msimtf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\ltmdm64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\microsoft_bluetooth_hfp_hf.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\dtsh.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\register-cimprovider.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dhcpcsvc6.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\srm.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netr7364.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-core-errorhandling-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\uefi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\tsgqec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\bthspp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\pshed.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.Implementation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d07248da6ea3b2_gpapi.dll.mui_ef0a9748	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-h..k-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_86590e42d15fe3a0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoftwindows-undockeddevkit.appxmain_31bf3856ad364e35_10.0.19041.488_none_7201e1dc944d1765.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-edp-notify_31bf3856ad364e35_10.0.19041.1202_none_958d6588f50ca146\BitLockerCsp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9e8a120c0f149723.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\sdstor.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_it-it_bddceaf325c3cfd0_rtm.dll.mui_55e4e990	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-iorate.resources_31bf3856ad364e35_10.0.19041.1_de-de_fb069b292b24ec1b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-aarsvc_31bf3856ad364e35_10.0.19041.264_none_4b25f9be389a3a63\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}2052.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..clientsku.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_722f57ec7f2152fb\rdpshell.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-l..oyment-languagepack_31bf3856ad364e35_10.0.19041.1151_en-us_6191f6578bd8087b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_windows-application..-appextension-winrt_31bf3856ad364e35_10.0.19041.264_none_f1b195690fb4325e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..-provider.resources_31bf3856ad364e35_10.0.19041.1_es-es_aba3a74bd9f213fb\adsnt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f6234877a4e09a4e\TipTsf.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-cmi_31bf3856ad364e35_10.0.19041.746_none_921c3f66edbae559\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_8b021141ec175d3e\sdbinst.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..atform-input-ninput_31bf3856ad364e35_10.0.19041.546_none_9cb384bc1098bc04\r\ninput.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..m-manager.resources_31bf3856ad364e35_10.0.19041.1_es-es_eeaff81f292cb62d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lmhsvc.resources_31bf3856ad364e35_10.0.19041.1_de-de_f1b4993dbc216ff6\lmhsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_10.0.19041.84_none_7c1f17a9e1beaf63\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mapi.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8d43aaeab0ef7abb\mapi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-telephony-voiprt_31bf3856ad364e35_10.0.19041.264_none_2bb47dca91adaf58\VoipRT.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..-uevagent.resources_31bf3856ad364e35_10.0.19041.1_es-es_55becf37c31a22f5\Microsoft.Uev.EventLogMessages.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_10.0.19041.1_en-us_291e9fa54b2e42f3\wmlaunch.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_10.0.19041.1_de-de_bf2eea434d33ed5d\reagent.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..2-filesystemsupport_31bf3856ad364e35_10.0.19041.1266_none_00d3f0af4e941597.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.RunTime.Serialization.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\ServiceControlManager.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_tr-tr_1d60a06c87d527e6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..stringime.resources_31bf3856ad364e35_10.0.19041.1_en-us_3fa72d32e128ab65.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_microsoft.web.manag..netclient.resources_31bf3856ad364e35_10.0.19041.1_en-us_f060c167438b07ef.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-usbceip.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_80a8547576f94425	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.19041.1_none_31de674a953f3f59\Professional-Retail-5-ul-store-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c271277db84bbc43_services.exe.mui_86ea5e71	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_hyperv-guest-kmcl-d..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_ja-jp_95d04ee4f4b77e3b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_11.0.19041.1_it-it_ef64ad77ea3c7c1c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.Resources\3.0.0.0_fr_31bf3856ad364e35\WindowsBase.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ncsi.resources_31bf3856ad364e35_10.0.19041.1_es-es_25fb790994524f42	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_hyperv-compute-host..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_uk-ua_75743606581d05a7.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-netjoin_31bf3856ad364e35_10.0.19041.1_none_0d4b2cd40c249c64.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_presentationframework_31bf3856ad364e35_10.0.19041.1_none_d08a0804dafcd0bd\PresentationFramework.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-printing-platform_31bf3856ad364e35_10.0.19041.746_none_90fe2c4c55073e4b\PrintPlatformConfig.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Xaml.Hosting.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-whoami.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_53f52c826bc8ddfb\whoami.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..n-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_c9b7d236d40f6b1d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_10.0.19041.1_es-es_67d062782fd4ac44\ReachFramework.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_eventviewersettings.resources_31bf3856ad364e35_10.0.19041.1_es-es_5743073167c99986\miguiresource.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-security-ngc-cryptngc_31bf3856ad364e35_10.0.19041.1202_none_9d678b1eef8af3d2\f\cryptngc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.rsp	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..iderslegacy-library_31bf3856ad364e35_10.0.19041.1_none_125e3189c56b833d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-3daudio-hrtfapo_31bf3856ad364e35_10.0.19041.1266_none_01934add04c2464d\r\ssdm.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-coreuicomponents_31bf3856ad364e35_10.0.19041.546_none_21a414279c9a8074\f\CoreUIComponents.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-textpredictionengine_31bf3856ad364e35_10.0.19041.746_none_ffcc3a1a9a5792d9\f	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SplashScreen.scale-100.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_hyperv-networking-c..s-merged-deployment_31bf3856ad364e35_10.0.19041.153_none_48af7ed3a224efab.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-w..t-snapins.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3ba94d590fbb069a\MMFUtil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-d..ne-dsacls.resources_31bf3856ad364e35_10.0.19041.1_es-es_3917f34286a67bd2\dsacls.exe.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeMachineAccountPrivilege	636	msiexec.exe
Token: SeTcbPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeLoadDriverPrivilege	636	msiexec.exe
Token: SeSystemProfilePrivilege	636	msiexec.exe
Token: SeSystemtimePrivilege	636	msiexec.exe
Token: SeProfSingleProcessPrivilege	636	msiexec.exe
Token: SeIncBasePriorityPrivilege	636	msiexec.exe
Token: SeCreatePagefilePrivilege	636	msiexec.exe
Token: SeCreatePermanentPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeAuditPrivilege	636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	636	msiexec.exe
Token: SeChangeNotifyPrivilege	636	msiexec.exe
Token: SeRemoteShutdownPrivilege	636	msiexec.exe
Token: SeUndockPrivilege	636	msiexec.exe
Token: SeSyncAgentPrivilege	636	msiexec.exe
Token: SeEnableDelegationPrivilege	636	msiexec.exe
Token: SeManageVolumePrivilege	636	msiexec.exe
Token: SeImpersonatePrivilege	636	msiexec.exe
Token: SeCreateGlobalPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	636	msiexec.exe
Token: SeMachineAccountPrivilege	636	msiexec.exe
Token: SeTcbPrivilege	636	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeLoadDriverPrivilege	636	msiexec.exe
Token: SeSystemProfilePrivilege	636	msiexec.exe
Token: SeSystemtimePrivilege	636	msiexec.exe
Token: SeProfSingleProcessPrivilege	636	msiexec.exe
Token: SeIncBasePriorityPrivilege	636	msiexec.exe
Token: SeCreatePagefilePrivilege	636	msiexec.exe
Token: SeCreatePermanentPrivilege	636	msiexec.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeShutdownPrivilege	636	msiexec.exe
Token: SeDebugPrivilege	636	msiexec.exe
Token: SeAuditPrivilege	636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	636	msiexec.exe
Token: SeChangeNotifyPrivilege	636	msiexec.exe
Token: SeRemoteShutdownPrivilege	636	msiexec.exe
Token: SeUndockPrivilege	636	msiexec.exe
Token: SeSyncAgentPrivilege	636	msiexec.exe
Token: SeEnableDelegationPrivilege	636	msiexec.exe
Token: SeManageVolumePrivilege	636	msiexec.exe
Token: SeImpersonatePrivilege	636	msiexec.exe
Token: SeCreateGlobalPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	636	msiexec.exe
Token: SeLockMemoryPrivilege	636	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
636	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
860	winlogon.exe
1116	AE 0124 BE.exe
776	winlogon.exe
3612	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 636	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	81
PID 4468 wrote to memory of 636	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	81
PID 4468 wrote to memory of 636	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	81
PID 4468 wrote to memory of 860	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	83
PID 4468 wrote to memory of 860	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	83
PID 4468 wrote to memory of 860	4468	61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe	83
PID 860 wrote to memory of 1116	860	winlogon.exe	85
PID 860 wrote to memory of 1116	860	winlogon.exe	85
PID 860 wrote to memory of 1116	860	winlogon.exe	85
PID 1252 wrote to memory of 4028	1252	msiexec.exe	86
PID 1252 wrote to memory of 4028	1252	msiexec.exe	86
PID 1252 wrote to memory of 4028	1252	msiexec.exe	86
PID 1116 wrote to memory of 776	1116	AE 0124 BE.exe	87
PID 1116 wrote to memory of 776	1116	AE 0124 BE.exe	87
PID 1116 wrote to memory of 776	1116	AE 0124 BE.exe	87
PID 860 wrote to memory of 3612	860	winlogon.exe	88
PID 860 wrote to memory of 3612	860	winlogon.exe	88
PID 860 wrote to memory of 3612	860	winlogon.exe	88

C:\Users\Admin\AppData\Local\Temp\61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\61ddbe58a2fa6e96c433a267f3886ed259900ac878451a5ce2aab2d984e48bcb_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:636
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:776
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0EBDCDB4BB1859A09785D69C02B7289E C
  2⤵
  - Loads dropped DLL
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI77C0.tmp

Filesize
57KB

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI787D.tmp

Filesize
418KB

MD5
67f23a38c85856e8a20e815c548cd424

SHA1
16e8959c52f983e83f688f4cce3487364b1ffd10

SHA256
f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

SHA512
41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI78CD.tmp

Filesize
209KB

MD5
0e91605ee2395145d077adb643609085

SHA1
303263aa6889013ce889bd4ea0324acdf35f29f2

SHA256
5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

SHA512
3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
2.7MB

MD5
d519ffc109be810f2d1596612b8b1890

SHA1
13458dcbc227780bd0e7c1ef3f0691d992bd9589

SHA256
faa633656d1f649c6d7731d13b0c09d981560841a1b736ddca16845c5a5552be

SHA512
2f2b16b8f230c46d1d5e8b328fc91ea96548841e73365fb4022fd412ce87a49c2f0032d94b900693d4388ba7463ddce63ebe4ab524efad475e8e8c651a315a4c

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
1ca05dd9a829256fd297ecebb3d922f8

SHA1
3c2fd4d8d071780c8b2b15739d8795e17dd5493e

SHA256
e9d1b72d6dd30fe495815bfc1ad7a5dd5017aa10eb8785c2c00edd890a1f292c

SHA512
6b6820e8217a68d91c1b2bf36a934e7e3e4e29a744d2ee689bf85a9b6231424a0e03bc707ac7f9030d6e5ff78530203888b55d121ffc75323074b905c35e76a2

Download Submit
C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.002

Filesize
256KB

MD5
26450c1ac9820c708096dc2892542a35

SHA1
33ab6adcfab4ba1b2fd67db89818a6bfa6ecc48e

SHA256
6a3779956c62b0f3ffa0530b191c91bef6f393222e49ec8ad9e916f6feff7dc2

SHA512
18eeec31e53c73235cb8025a1c274426467979f3c36058f46079cacb092dd47b4badab12d5b9a6b231c8eb6d4650f32957215dca73b0813e5ba9437794dd4be2

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads