Malware Analysis Report

2024-10-19 01:05

Sample ID 240508-njajasaa91
Target 825fd4e7bacce35f9d3999a4c28c3c40_NEIKI
SHA256 21e516d51c181024b685554ae22760bc59d0485e8dffaaa99322597844bf000e
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21e516d51c181024b685554ae22760bc59d0485e8dffaaa99322597844bf000e

Threat Level: Known bad

The file 825fd4e7bacce35f9d3999a4c28c3c40_NEIKI was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

Trickbot x86 loader

Trickbot

KPOT

Kpot family

KPOT Core Executable

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 11:25

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 11:25

Reported

2024-05-08 11:27

Platform

win7-20240221-en

Max time kernel

135s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 3024 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2104 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 1720 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 1720 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 1720 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 1720 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 2648 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2600 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2644 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 2644 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 2644 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 2644 wrote to memory of 644 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {F11D5BA7-2ED5-4E53-B9EE-6765F605985C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/1720-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1720-15-0x00000000026A0000-0x00000000026C9000-memory.dmp

memory/1720-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1720-17-0x0000000000421000-0x0000000000422000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

MD5 825fd4e7bacce35f9d3999a4c28c3c40
SHA1 56c582db4d568babbb70a60de6e475a54db9a2b7
SHA256 21e516d51c181024b685554ae22760bc59d0485e8dffaaa99322597844bf000e
SHA512 42a2ac455c080452bea89c4fa4b40b382f47cfedef4200849987633bf5da9b1c206b778333c22834b05ecebb2001889e80166d62c3a84122481b335801ab4d89

memory/2600-38-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-41-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-40-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-39-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-37-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-36-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-35-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-34-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-33-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-32-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2600-44-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2600-31-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2600-30-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2456-48-0x0000000010000000-0x000000001001E000-memory.dmp

memory/408-88-0x0000000000250000-0x0000000000251000-memory.dmp

memory/408-87-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 11:25

Reported

2024-05-08 11:27

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 3396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 3396 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1632 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 4744 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2032 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\825fd4e7bacce35f9d3999a4c28c3c40_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 24.217.192.131:449 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 24.217.192.131:449 tcp

Files

memory/3396-14-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-13-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-12-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-11-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-10-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-9-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-8-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-7-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-6-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-4-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-3-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-2-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/3396-15-0x0000000002AC0000-0x0000000002AE9000-memory.dmp

memory/3396-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3396-17-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\926fd4e8bacce36f9d3999a4c29c3c40_NFJLJ.exe

MD5 825fd4e7bacce35f9d3999a4c28c3c40
SHA1 56c582db4d568babbb70a60de6e475a54db9a2b7
SHA256 21e516d51c181024b685554ae22760bc59d0485e8dffaaa99322597844bf000e
SHA512 42a2ac455c080452bea89c4fa4b40b382f47cfedef4200849987633bf5da9b1c206b778333c22834b05ecebb2001889e80166d62c3a84122481b335801ab4d89

memory/1632-37-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-36-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-35-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-34-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-33-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1632-32-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-31-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-30-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-29-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/1632-28-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-27-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1632-26-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2984-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2984-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/1632-51-0x0000000003060000-0x000000000311E000-memory.dmp

memory/2984-53-0x000001871F2F0000-0x000001871F2F1000-memory.dmp

memory/1632-52-0x0000000003160000-0x0000000003429000-memory.dmp

memory/4744-60-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-62-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-67-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-69-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-68-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-58-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-65-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-64-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-61-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-59-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4744-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/4744-73-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 0ab9e2cbecabbc157af46b187e6b801d
SHA1 8b47946539c24dc6e5a5349451b7a06a740e968a
SHA256 42d50c6055d284c672d566c0919432798efbab09d2d075b8351828c3ae37763d
SHA512 0452560ecfb7168b59f48944e816c91fa27afce355bd680631fa72d51b429929b3e2d07cfe903d9cde31c05049535edb673a67e514c577078ca62955db21b8f7