Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:14
Static task
static1
Behavioral task
behavioral1
Sample
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
cf280305bfeb9c9d4c0d6f479ad12840
-
SHA1
7b6b2ae638196065cf6bf87ab59710ef9ade42f5
-
SHA256
d7d771d27ed3aeeced41548568292535d6c9d06fb1ce557fcbea21233880a653
-
SHA512
65edeca3f63b6d40ee1eae8728809a557580e0b57463bf15f824e4bb7ef121d74b4e2a975e6f555cd6e55925d2b03fed75ce6a1639fbc035e931bbcd90d73cec
-
SSDEEP
24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e7:ObCjPKNqQEfsw43qtmVfq40
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.me.com - Port:
587 - Username:
[email protected] - Password:
RICHARD205lord
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2780 jhdfkldfhndfkjdfnbfklfnf.exe 332 winmgr119.exe 1628 winmgr119.exe -
Loads dropped DLL 1 IoCs
pid Process 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2508-23-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2508-24-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2508-25-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2508-30-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2804-34-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2804-35-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2804-36-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2804-74-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" jhdfkldfhndfkjdfnbfklfnf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ipinfo.io 2 icanhazip.com -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000f00000001226b-2.dat autoit_exe behavioral1/files/0x0036000000014574-9.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2780 set thread context of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2708 set thread context of 2508 2708 RegAsm.exe 32 PID 2708 set thread context of 2804 2708 RegAsm.exe 35 PID 2708 set thread context of 2980 2708 RegAsm.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2408 schtasks.exe 2180 schtasks.exe 2044 schtasks.exe 792 schtasks.exe 1792 schtasks.exe 1644 schtasks.exe 900 schtasks.exe 2388 schtasks.exe 2544 schtasks.exe 2764 schtasks.exe 496 schtasks.exe 448 schtasks.exe 1416 schtasks.exe 2944 schtasks.exe 1576 schtasks.exe 2616 schtasks.exe 2668 schtasks.exe 2852 schtasks.exe 1232 schtasks.exe 1740 schtasks.exe 2964 schtasks.exe 1672 schtasks.exe 2516 schtasks.exe 2796 schtasks.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA jhdfkldfhndfkjdfnbfklfnf.exe File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File created C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe:Zone.Identifier:$DATA cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 332 winmgr119.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 1628 winmgr119.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2708 RegAsm.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe 2780 jhdfkldfhndfkjdfnbfklfnf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2708 RegAsm.exe Token: SeDebugPrivilege 2508 cvtres.exe Token: SeDebugPrivilege 2804 cvtres.exe Token: SeDebugPrivilege 2980 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2708 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2780 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 28 PID 1212 wrote to memory of 2780 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 28 PID 1212 wrote to memory of 2780 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 28 PID 1212 wrote to memory of 2780 1212 cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe 28 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2708 2780 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2780 wrote to memory of 2764 2780 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2780 wrote to memory of 2764 2780 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2780 wrote to memory of 2764 2780 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2780 wrote to memory of 2764 2780 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2508 2708 RegAsm.exe 32 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2708 wrote to memory of 2804 2708 RegAsm.exe 35 PID 2780 wrote to memory of 2044 2780 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2780 wrote to memory of 2044 2780 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2780 wrote to memory of 2044 2780 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2780 wrote to memory of 2044 2780 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2708 wrote to memory of 2980 2708 RegAsm.exe 39 PID 2780 wrote to memory of 792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2780 wrote to memory of 792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2780 wrote to memory of 792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2780 wrote to memory of 792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2780 wrote to memory of 1232 2780 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2780 wrote to memory of 1232 2780 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2780 wrote to memory of 1232 2780 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2780 wrote to memory of 1232 2780 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2016 wrote to memory of 332 2016 taskeng.exe 48 PID 2016 wrote to memory of 332 2016 taskeng.exe 48 PID 2016 wrote to memory of 332 2016 taskeng.exe 48 PID 2016 wrote to memory of 332 2016 taskeng.exe 48 PID 2780 wrote to memory of 496 2780 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2780 wrote to memory of 496 2780 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2780 wrote to memory of 496 2780 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2780 wrote to memory of 496 2780 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2780 wrote to memory of 1792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2780 wrote to memory of 1792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2780 wrote to memory of 1792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2780 wrote to memory of 1792 2780 jhdfkldfhndfkjdfnbfklfnf.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf280305bfeb9c9d4c0d6f479ad12840_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exeC:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp9157.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA667.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2764
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2044
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:792
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1232
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:496
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1792
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:448
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1740
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1644
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2964
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:900
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2944
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1416
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2388
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1672
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2408
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2180
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2516
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2544
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2852
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {861DCD1A-8777-4CE5-8607-66F370BAE38F} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:332
-
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD5ed0124f2edabcd6ff87b61312dee9b47
SHA1627deb090d4de5985e5e76b84cec23facdb846ba
SHA25621f2bb3e0ff41148a8708299d8dc5d6bdf6f6f7326de2ab725a2ab323aecd20c
SHA5121dd511bbe99a930cc7f7a4262d17e1de773f7f5a7d0d6579574f0df3c817c6ea0474c6db91bb672fdb7f760d6976ba4430f4ca0c471432432302ec6f0d84fb4e
-
Filesize
2.6MB
MD56249a5425d4d3baa42295bc774182561
SHA128f644257326cd6a5617662b73af17e7ee1fcf6e
SHA256725df0b2314d9dfea223c5b3044017992e90d10d608b1471074b730abdf4fd8f
SHA51213d83599407eccbfbc72176118f51cc0464cc4c68f27ed320a3af6ec9fc3fc27d6d8399a33a5244c109eef043f08c515d3bd3841040d2e09635a5a6dc6e47558
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
399B
MD5e4bf4f7accc657622fe419c0d62419ab
SHA1c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA51285dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986
-
Filesize
2.6MB
MD5e6e76737fc9f0394c7afde7f06d6ff60
SHA1d36336f4f9f71775325a43c55e6010ad480c4fdc
SHA25683c2da139c89e89bdea5db45c6b92f7588dda711a5de200361a44ba982451c99
SHA512f06d40e867b9c187e43f2f97966799b415798165e9203cdfe013fc0470424ad46d0b87eeed974e5a0aed987f5be71431097764e0ddbcc2d831b98741912def49