Malware Analysis Report

2024-10-19 01:05

Sample ID 240508-nk6m5acf96
Target 84e6c3f628bdc35def9d5d12573431e0_NEIKI
SHA256 501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0
Tags
kpot trickbot banker evasion execution stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0

Threat Level: Known bad

The file 84e6c3f628bdc35def9d5d12573431e0_NEIKI was found to be: Known bad.

Malicious Activity Summary

kpot trickbot banker evasion execution stealer trojan

Trickbot

Kpot family

KPOT

KPOT Core Executable

Trickbot x86 loader

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 11:28

Signatures

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Kpot family

kpot

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 11:28

Reported

2024-05-08 11:30

Platform

win7-20240220-en

Max time kernel

135s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Stops running service(s)

evasion execution

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2916 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2628 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2040 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2040 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2040 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2040 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2036 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2036 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe"

C:\Windows\SysWOW64\cmd.exe

/c sc stop WinDefend

C:\Windows\SysWOW64\cmd.exe

/c sc delete WinDefend

C:\Windows\SysWOW64\cmd.exe

/c powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\SysWOW64\sc.exe

sc stop WinDefend

C:\Windows\SysWOW64\sc.exe

sc delete WinDefend

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {C30C6707-ED45-4F0C-BBC2-05A9F2BE13F3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2916-4-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2916-17-0x0000000000421000-0x0000000000422000-memory.dmp

memory/2916-15-0x0000000000290000-0x00000000002B9000-memory.dmp

memory/2916-14-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-13-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-12-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-11-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-10-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-9-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-8-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-7-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-6-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-5-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-3-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2916-2-0x0000000000260000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

MD5 84e6c3f628bdc35def9d5d12573431e0
SHA1 bae1643c0f4c044471683c2b35d93152cd6284d1
SHA256 501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0
SHA512 7631ff0d6b713a0388665d9af9177a0189d6ed58243e3e3e4dec276d973af5fa36568bb882fbb382c911ab8bb830fe2149e3f8b00797c9672f093c2cde3640ae

memory/2028-34-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-38-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-37-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-36-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-40-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-41-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-39-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-35-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-33-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-32-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2028-31-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2492-49-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2028-45-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2028-30-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2036-63-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-62-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-61-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-60-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-71-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-70-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-69-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-68-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-67-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-65-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2036-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 11:28

Reported

2024-05-08 11:30

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe"

Signatures

KPOT

trojan stealer kpot

KPOT Core Executable

Description Indicator Process Target
N/A N/A N/A N/A

Trickbot

trojan banker trickbot

Trickbot x86 loader

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 3764 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 3764 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 2548 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 1000 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe
PID 424 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe

"C:\Users\Admin\AppData\Local\Temp\84e6c3f628bdc35def9d5d12573431e0_NEIKI.exe"

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.88:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 24.247.182.169:449 tcp
US 24.247.182.169:449 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 24.247.182.169:449 tcp
BR 187.19.17.132:449 tcp

Files

memory/3764-6-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-14-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-13-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-7-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-12-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-11-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-10-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-9-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-8-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-5-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-4-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-3-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-2-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3764-15-0x0000000002160000-0x0000000002189000-memory.dmp

memory/3764-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3764-17-0x0000000000421000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\94e7c3f729bdc36def9d6d12683431e0_NFJLJ.exe

MD5 84e6c3f628bdc35def9d5d12573431e0
SHA1 bae1643c0f4c044471683c2b35d93152cd6284d1
SHA256 501bd7e233abdeeed952af6f9512aac154d599ee3758e56a94e5cb2bf873f3b0
SHA512 7631ff0d6b713a0388665d9af9177a0189d6ed58243e3e3e4dec276d973af5fa36568bb882fbb382c911ab8bb830fe2149e3f8b00797c9672f093c2cde3640ae

memory/2548-37-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2548-36-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-35-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-34-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-33-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-32-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-31-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-30-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-29-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-28-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-27-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-26-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2548-42-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2548-41-0x0000000010000000-0x0000000010007000-memory.dmp

memory/2684-46-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2684-47-0x0000000010000000-0x000000001001E000-memory.dmp

memory/2684-51-0x0000026FED770000-0x0000026FED771000-memory.dmp

memory/2548-52-0x0000000003060000-0x000000000311E000-memory.dmp

memory/2548-53-0x0000000003160000-0x0000000003429000-memory.dmp

memory/1000-69-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-68-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-67-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-66-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-65-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-64-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-63-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-62-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-61-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-60-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-59-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-58-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1000-72-0x0000000000421000-0x0000000000422000-memory.dmp

memory/1000-73-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\WinSocket\settings.ini

MD5 2b892efdc31ca5db3a273b547a306c75
SHA1 3f277e8e32b3f8cde25dd46d1a08f00054234926
SHA256 85ef35aadd6bba5674d2df11a762e5b086f90f3690e99e745b2fef8a44198957
SHA512 16ff4a40b5dc0d8e377fd940e12c68f32576679e777b9c6ec8f21d3874bd4aa9cc063a7ef1e0a953ef9d54645637dc2191c7ded4568e5969b5430dfc66eea365