Analysis
-
max time kernel
54s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe
-
Size
351KB
-
MD5
bd1fca8f44921479510a72dbf1efefa0
-
SHA1
3692a07961e502f4ee266bf9a768cfc1fe03102e
-
SHA256
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc
-
SHA512
53a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39
-
SSDEEP
6144:V/OZplTYZplx/OZpl7/OZplx/OZplQ/OZplU:V/MTqx/M7/Mx/MQ/MU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeIExplorer.exewinlogon.exeimoet.execute.exeTiwi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
Processes:
imoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
Processes:
winlogon.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe -
Disables RegEdit via registry modification 6 IoCs
Processes:
cute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
Processes:
winlogon.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
Processes:
Tiwi.exeIExplorer.exeTiwi.exeTiwi.exeIExplorer.exeIExplorer.exewinlogon.exeTiwi.exewinlogon.exeIExplorer.exeimoet.exeimoet.exeTiwi.exewinlogon.exeIExplorer.execute.execute.exewinlogon.exeimoet.exeimoet.exewinlogon.execute.exeTiwi.execute.exeIExplorer.exeimoet.exewinlogon.exeTiwi.execute.exeimoet.exeIExplorer.execute.exewinlogon.exeimoet.execute.exepid process 3584 Tiwi.exe 1528 IExplorer.exe 3460 Tiwi.exe 3664 Tiwi.exe 3068 IExplorer.exe 772 IExplorer.exe 4584 winlogon.exe 4580 Tiwi.exe 2008 winlogon.exe 5096 IExplorer.exe 3452 imoet.exe 3312 imoet.exe 2464 Tiwi.exe 3732 winlogon.exe 1644 IExplorer.exe 688 cute.exe 2556 cute.exe 3320 winlogon.exe 3228 imoet.exe 4916 imoet.exe 1784 winlogon.exe 2776 cute.exe 5072 Tiwi.exe 4660 cute.exe 2480 IExplorer.exe 4796 imoet.exe 2188 winlogon.exe 4536 Tiwi.exe 648 cute.exe 2360 imoet.exe 2940 IExplorer.exe 5036 cute.exe 540 winlogon.exe 4764 imoet.exe 1436 cute.exe -
Loads dropped DLL 6 IoCs
Processes:
Tiwi.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exeTiwi.exepid process 3460 Tiwi.exe 3664 Tiwi.exe 4580 Tiwi.exe 2464 Tiwi.exe 5072 Tiwi.exe 4536 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
Processes:
Tiwi.exeIExplorer.exeimoet.execute.exewinlogon.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
Tiwi.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exewinlogon.exeIExplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IExplorer.exewinlogon.exeimoet.execute.exeTiwi.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\I: cute.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\G: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\H: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\O: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\S: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\K: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Q: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\J: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\L: Tiwi.exe File opened (read-only) \??\T: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\E: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\I: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\V: 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\X: cute.exe -
Modifies WinLogon 2 TTPs 18 IoCs
Processes:
imoet.execute.exeIExplorer.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exewinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
Tiwi.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created F:\autorun.inf 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification F:\autorun.inf 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe -
Drops file in System32 directory 40 IoCs
Processes:
Tiwi.exeimoet.execute.exeIExplorer.exeIExplorer.exeIExplorer.exewinlogon.exeIExplorer.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeIExplorer.exeIExplorer.exeIExplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\shell.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
Processes:
winlogon.exeIExplorer.exeIExplorer.exeimoet.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.exeIExplorer.execute.exedescription ioc process File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 54 IoCs
Processes:
winlogon.exeimoet.exeTiwi.exeIExplorer.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s2359 = "Tiwi" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\Mouse\ IExplorer.exe -
Processes:
Tiwi.exeIExplorer.exeimoet.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exewinlogon.execute.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
Processes:
Tiwi.exeIExplorer.exewinlogon.exeimoet.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe -
Modifies registry class 64 IoCs
Processes:
Tiwi.exeIExplorer.execute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exewinlogon.exeimoet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exepid process 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Tiwi.exeimoet.exewinlogon.exepid process 3584 Tiwi.exe 3452 imoet.exe 4584 winlogon.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exeTiwi.exeIExplorer.exewinlogon.exeTiwi.exewinlogon.exeIExplorer.exeimoet.exeTiwi.exeimoet.exewinlogon.exeIExplorer.execute.execute.exewinlogon.exeimoet.exewinlogon.exeimoet.execute.exeTiwi.execute.exeIExplorer.exeimoet.exewinlogon.exeTiwi.execute.exeimoet.exeIExplorer.execute.exewinlogon.exeimoet.execute.exepid process 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe 3584 Tiwi.exe 1528 IExplorer.exe 3460 Tiwi.exe 3068 IExplorer.exe 3664 Tiwi.exe 772 IExplorer.exe 4584 winlogon.exe 4580 Tiwi.exe 2008 winlogon.exe 5096 IExplorer.exe 3452 imoet.exe 2464 Tiwi.exe 3312 imoet.exe 3732 winlogon.exe 1644 IExplorer.exe 2556 cute.exe 688 cute.exe 3320 winlogon.exe 3228 imoet.exe 1784 winlogon.exe 4916 imoet.exe 2776 cute.exe 5072 Tiwi.exe 4660 cute.exe 2480 IExplorer.exe 4796 imoet.exe 2188 winlogon.exe 4536 Tiwi.exe 648 cute.exe 2360 imoet.exe 2940 IExplorer.exe 5036 cute.exe 540 winlogon.exe 4764 imoet.exe 1436 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exedescription pid process target process PID 2268 wrote to memory of 3584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2268 wrote to memory of 3584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2268 wrote to memory of 3584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2268 wrote to memory of 1528 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2268 wrote to memory of 1528 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2268 wrote to memory of 1528 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2268 wrote to memory of 3460 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2268 wrote to memory of 3460 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 2268 wrote to memory of 3460 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Tiwi.exe PID 3584 wrote to memory of 3664 3584 Tiwi.exe Tiwi.exe PID 3584 wrote to memory of 3664 3584 Tiwi.exe Tiwi.exe PID 3584 wrote to memory of 3664 3584 Tiwi.exe Tiwi.exe PID 2268 wrote to memory of 3068 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2268 wrote to memory of 3068 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 2268 wrote to memory of 3068 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe IExplorer.exe PID 3584 wrote to memory of 772 3584 Tiwi.exe IExplorer.exe PID 3584 wrote to memory of 772 3584 Tiwi.exe IExplorer.exe PID 3584 wrote to memory of 772 3584 Tiwi.exe IExplorer.exe PID 2268 wrote to memory of 4584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 2268 wrote to memory of 4584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 2268 wrote to memory of 4584 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1528 wrote to memory of 4580 1528 IExplorer.exe Tiwi.exe PID 1528 wrote to memory of 4580 1528 IExplorer.exe Tiwi.exe PID 1528 wrote to memory of 4580 1528 IExplorer.exe Tiwi.exe PID 3584 wrote to memory of 2008 3584 Tiwi.exe winlogon.exe PID 3584 wrote to memory of 2008 3584 Tiwi.exe winlogon.exe PID 3584 wrote to memory of 2008 3584 Tiwi.exe winlogon.exe PID 1528 wrote to memory of 5096 1528 IExplorer.exe IExplorer.exe PID 1528 wrote to memory of 5096 1528 IExplorer.exe IExplorer.exe PID 1528 wrote to memory of 5096 1528 IExplorer.exe IExplorer.exe PID 3584 wrote to memory of 3452 3584 Tiwi.exe imoet.exe PID 3584 wrote to memory of 3452 3584 Tiwi.exe imoet.exe PID 3584 wrote to memory of 3452 3584 Tiwi.exe imoet.exe PID 2268 wrote to memory of 3312 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe imoet.exe PID 2268 wrote to memory of 3312 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe imoet.exe PID 2268 wrote to memory of 3312 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe imoet.exe PID 4584 wrote to memory of 2464 4584 winlogon.exe Tiwi.exe PID 4584 wrote to memory of 2464 4584 winlogon.exe Tiwi.exe PID 4584 wrote to memory of 2464 4584 winlogon.exe Tiwi.exe PID 1528 wrote to memory of 3732 1528 IExplorer.exe winlogon.exe PID 1528 wrote to memory of 3732 1528 IExplorer.exe winlogon.exe PID 1528 wrote to memory of 3732 1528 IExplorer.exe winlogon.exe PID 4584 wrote to memory of 1644 4584 winlogon.exe IExplorer.exe PID 4584 wrote to memory of 1644 4584 winlogon.exe IExplorer.exe PID 4584 wrote to memory of 1644 4584 winlogon.exe IExplorer.exe PID 3584 wrote to memory of 688 3584 Tiwi.exe cute.exe PID 3584 wrote to memory of 688 3584 Tiwi.exe cute.exe PID 3584 wrote to memory of 688 3584 Tiwi.exe cute.exe PID 2268 wrote to memory of 2556 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe cute.exe PID 2268 wrote to memory of 2556 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe cute.exe PID 2268 wrote to memory of 2556 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe cute.exe PID 1528 wrote to memory of 3228 1528 IExplorer.exe imoet.exe PID 1528 wrote to memory of 3228 1528 IExplorer.exe imoet.exe PID 1528 wrote to memory of 3228 1528 IExplorer.exe imoet.exe PID 4584 wrote to memory of 3320 4584 winlogon.exe winlogon.exe PID 4584 wrote to memory of 3320 4584 winlogon.exe winlogon.exe PID 4584 wrote to memory of 3320 4584 winlogon.exe winlogon.exe PID 4584 wrote to memory of 4916 4584 winlogon.exe imoet.exe PID 4584 wrote to memory of 4916 4584 winlogon.exe imoet.exe PID 4584 wrote to memory of 4916 4584 winlogon.exe imoet.exe PID 2268 wrote to memory of 1784 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 2268 wrote to memory of 1784 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 2268 wrote to memory of 1784 2268 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe winlogon.exe PID 1528 wrote to memory of 2776 1528 IExplorer.exe cute.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
cute.exe33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exeTiwi.exeIExplorer.exewinlogon.exeimoet.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Modify Registry
9Hide Artifacts
2Hidden Files and Directories
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Tiwi.exeFilesize
351KB
MD51056af563d62581a24dd381b3f40dbdd
SHA13f5aabc5a5dbae63eecd1818b42bc63ccacae489
SHA256f07d9b29d3b9e8a6f6b6aaf6136e130f9dcbfb9a3ece199cce290a5e5d9117a7
SHA5128b809108b63b96a553b7ddb48aaae0e463fb35f02895d91619fadd769be41411559f1ae140d4194ce8854b8c225204028a26a228ef90d1e1c110ec5db1785386
-
C:\Users\Admin\AppData\Local\WINDOWS\cute.exeFilesize
351KB
MD568ff46d5874cd42a446047e767217023
SHA150c1148bdb018678d6c130290407dbe66463800a
SHA256b3172d3a46aa74e586b4e6371c21076025104a1a47d2deaf716405ad833fe916
SHA512fb22f78c45fd702a8a2c66063222ff0645fa23cd8bf9920c0f090c7b78624ab8082b3d179d8e2f19eba09a001e28df9476bd412fe9a7ad9bd963c2c7466dcda9
-
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exeFilesize
351KB
MD5fb8c9a97b5b6283fc33d2c19793c9ee4
SHA16b2a8b46347819d23c8f3928a343d3b644ef4ba4
SHA2560f584cbad7557e132625396b02db174de35f7d5e8236c546a9f6f7cca64ff16e
SHA512c998e6a685dc1084c766055555267e8a4a0a75b751de117d36170f85b2bd5fa72010dae060dd8f48fe3f520f7d53995dd7530ebb38d48cc5d7e44de285f750a4
-
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exeFilesize
45KB
MD59e2f3e4b9f3aa0302ba39142f11e8c7e
SHA1ed9a3e6d902b22b922b508c56cbbe48141dff3cb
SHA256ffb678e80436eabc27f31ada2fe673b962b281f65e80844e7039e45c03318b3a
SHA5125ef8fd4cd73c0d5a2e35d77a887582e06b0333aa9c92d2e531295ab6f7a3e7a59ea7ca2fd3a84ff0cd017d2274203e026b247f25e1bb3d1d76fe2e8f06a24293
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exeFilesize
351KB
MD52e77c2219963c11bc9cb8c8eb293c5b9
SHA1681cb30f40d65ef711ac10f737ddc051f4a572a7
SHA256ce7e48ad60aa5ac768c371aa73a965c7b3e83bf729df9f5ed350e48659a3c8cb
SHA51275eaba96619d14da69d4afb03d60729d3dba35ee3ed3ee2b1f23419c8c89f9d9862876b781dffc415a421c28b74aa7a728e6df1ccab549734becde1123e563e4
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exeFilesize
351KB
MD5591b88bea33cbac9113824c0c5dbd5dd
SHA163b81b974a8ae184c159b39349efbbaa4e8d55e9
SHA25675753f3a5c393c1afedb5ce25e36a33a456c11168e3792559917003e2694af79
SHA5121a623dac65e91323731d484370bff467a540cf63e9c86b739f52deb8970447a6cae6b5eac2022e789bf814bdf65a153171ae10b779d16f05c7fef9eabbc4ba22
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exeFilesize
351KB
MD59ab2f4f2809ced686cb086fda0bfc041
SHA12f96393f1dc7f6a581ca84d69f7e80244dd3243a
SHA256ffe3c2c4864573097115d41a7bdaf5ecb60031a60ecd617312cf2ed237f91e53
SHA5125d1b694a64d471d8d036e0213a5aac42ce7dd2fce723cc9910fe2dd535352c239ee9cc0fc4351cbf3434d61e0fda1b4a4b5670d8e429dc6d84eebda979c019fb
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD5561ba6a568ea555c3853e910d60cf22e
SHA1910e30aa4749f9079a7d0aea482c2f95ee15fd74
SHA2567888f5487d982aa41dcdc943aae9a866d2c35ad4808325e34fd136da66f03898
SHA51246c9353ef7e298dd8f84f8ccc9259876e4dcdab8004db8587b3dccd646c2e6bc1497266405ab996740b4c4251b3f985510b0d0e10fb43b321a75f36499e2e510
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD5fb61c22bbdc2d0f7f2b87af3d3a3dd08
SHA15b965c8255011f1d8f798000fe41428a25586e8e
SHA2565c9138e96e8722fff7533df47c9751c4e3406f113f4c56cd875faf76e3404005
SHA51244e8ae044ff02e68ea2d8e750820b99bc80f86d6c5b1d37e337daeff6fc15c77e1bd9b33060dc4fe7b9a1fce21e4b00fd63d4e6bfba0b5537d80958d43b8978b
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exeFilesize
45KB
MD58ce89b85a92fa3a473120a0c93da69f9
SHA13634a99f2e6aa069b07fd5eceea3f17cf753ca82
SHA2563424cd9c56383be8c4a6ce26bf77f1a17aa839fe4c5d1cc0fe37214d8be545c2
SHA51228cceb1e947d6fd987818ccd77cf80e24fb070bcc5918970fc3fa0600a0362e631acb7480907408737d34c0dcbaf7664e542d7f2670f8a13386be67f276df92c
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exeFilesize
351KB
MD5abe570ba562afb017a93d4ba07670f7a
SHA1393250a7a8094bac9e36f058ba128be79d58f12e
SHA256fbf0a87e2fb810aaf651224f783900a97ec0ec1baf6651c71b658054662a62f4
SHA51202feac0a5c6ec075318f36b65f03a24650fec9f474a88803d464c5fded786411ed4fdfa82de4661cc2a1662174118fbb78815bbc08203156df9a6c0abe98f213
-
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pifFilesize
351KB
MD5cb0e7ef93e9860428798848d855d5b49
SHA1bc740d5c6a8d20c7d7fe00bb2e4a3ea63b1da9fb
SHA256198163e6c161799ff61fbef0709e86730423b38ba0755bbc8496fb0470e6d6b7
SHA51240b3f14140ff46f7ed7c3bb7ae7d8b0e4de9ed982b1fea8d55f7d65418d1cc4d2fa78969bbae2fe2a615b259b927859c3201d5a77cbd1553480ac84cc28c4d39
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
351KB
MD514e7cc9f0deb00e05843a314ea747cc9
SHA1f44364dd04c7766102fec459ccbf7da33cfe5d56
SHA256c02a7dd48d2e38133b7be1f79c9c8c67857e6ff10cc8da9a37f718cff1ecd1f7
SHA5124638619980684ad3c0c8e988faf9c591096a2d753d8d75b4f5ee0a9aabe6e92d0802490becf93bf935ef391d58d158f99fd91f529833efb31a27f77474c58936
-
C:\Windows\SysWOW64\shell.exeFilesize
351KB
MD5bd1fca8f44921479510a72dbf1efefa0
SHA13692a07961e502f4ee266bf9a768cfc1fe03102e
SHA25633376cda4b1584d482ccf20bb3bd47e08bb6e56d1a1be92690a6f5f4455546bc
SHA51253a2814e8e9b1b6ae37e66cda5e73a55db32f6759b11807d4ffee3ebaa6efdf375f195cf982ab90791af4ddc1f8cd4631fb651c6a2248844c87f3257ce2bfb39
-
C:\Windows\msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\tiwi.exeFilesize
351KB
MD5915e7393a7cb889ab8e3f7f840459b43
SHA17e76955c1ff751f655cd6a99704f09cc2c6fe40a
SHA256d5a7266f1155741c33ffab07756bccdf762e575010d08cb16eb3e6cf1cba9408
SHA512d0e2de8705124ba6bf8de1761b8740a7205e1789402ea823383b461c24654d4180fb187fcf6d4c985cd800f7c2c567082fcb70f33a36fc509c74dd2bda4432de
-
C:\present.txtFilesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
F:\autorun.infFilesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
memory/772-226-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/772-257-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1528-102-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1528-321-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1644-336-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/1644-325-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2008-267-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2268-303-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2268-440-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2268-0-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2464-324-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/2464-308-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3068-219-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3068-198-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3312-306-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3312-322-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3452-452-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3452-305-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3460-147-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3460-197-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3584-307-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3584-96-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3664-191-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3664-225-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3732-323-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/3732-335-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/4580-256-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/4580-264-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/4584-227-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/4584-451-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/5096-263-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB
-
memory/5096-313-0x00000000003E0000-0x00000000009DF000-memory.dmpFilesize
6.0MB