Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 17:52
Static task
static1
Behavioral task
behavioral1
Sample
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
11d5d0e3b01a9af1db9a5f9e653b2ef0
-
SHA1
bb533f397c8fbe7f61f58d162f875d78b74034af
-
SHA256
aaa6e04bbbc7b6df02648da93524a190bd796dc17b2160a5e10a94b24b7d8e5d
-
SHA512
20c6621d184db520bba367815fc90480cc2e2bcd5143704c37ec7abb2d2c7c412d6b546aafed92878cac25b2cb3c9238a35a1268706666825491c81e1466fc70
-
SSDEEP
24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4ei:ObCjPKNqQEfsw43qtmVfq4/
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.me.com - Port:
587 - Username:
[email protected] - Password:
RICHARD205lord
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2356 jhdfkldfhndfkjdfnbfklfnf.exe 1732 winmgr119.exe 1624 winmgr119.exe -
Loads dropped DLL 1 IoCs
pid Process 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2448-21-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2448-23-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2448-22-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2448-30-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2976-33-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2976-34-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2976-35-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2976-74-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/3004-115-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/2712-124-0x0000000000400000-0x0000000000491000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe" jhdfkldfhndfkjdfnbfklfnf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 icanhazip.com 6 ipinfo.io 18 ipinfo.io -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000014284-2.dat autoit_exe behavioral1/files/0x002d0000000144e9-9.dat autoit_exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 2356 set thread context of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2664 set thread context of 2448 2664 RegAsm.exe 32 PID 2664 set thread context of 2976 2664 RegAsm.exe 35 PID 2664 set thread context of 2856 2664 RegAsm.exe 39 PID 2356 set thread context of 2460 2356 jhdfkldfhndfkjdfnbfklfnf.exe 80 PID 2460 set thread context of 3004 2460 RegAsm.exe 83 PID 2460 set thread context of 2712 2460 RegAsm.exe 85 PID 2460 set thread context of 2816 2460 RegAsm.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1948 schtasks.exe 808 schtasks.exe 2456 schtasks.exe 1724 schtasks.exe 1156 schtasks.exe 916 schtasks.exe 768 schtasks.exe 2752 schtasks.exe 884 schtasks.exe 3004 schtasks.exe 1632 schtasks.exe 1848 schtasks.exe 1396 schtasks.exe 1476 schtasks.exe 2620 schtasks.exe 2132 schtasks.exe 2312 schtasks.exe 280 schtasks.exe 2636 schtasks.exe 1852 schtasks.exe 2116 schtasks.exe 1788 schtasks.exe 1440 schtasks.exe 1116 schtasks.exe 1012 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe:Zone.Identifier:$DATA 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe File created C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA jhdfkldfhndfkjdfnbfklfnf.exe File created C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe File opened for modification C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA winmgr119.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 1732 winmgr119.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 1624 winmgr119.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2664 RegAsm.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2356 jhdfkldfhndfkjdfnbfklfnf.exe 2460 RegAsm.exe 2460 RegAsm.exe 2460 RegAsm.exe 2460 RegAsm.exe 2460 RegAsm.exe 2460 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2664 RegAsm.exe Token: SeDebugPrivilege 2448 cvtres.exe Token: SeDebugPrivilege 2976 cvtres.exe Token: SeDebugPrivilege 2856 cvtres.exe Token: SeDebugPrivilege 2460 RegAsm.exe Token: SeDebugPrivilege 3004 cvtres.exe Token: SeDebugPrivilege 2712 cvtres.exe Token: SeDebugPrivilege 2816 cvtres.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2664 RegAsm.exe 2460 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2356 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2356 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2356 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 28 PID 2944 wrote to memory of 2356 2944 11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe 28 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2664 2356 jhdfkldfhndfkjdfnbfklfnf.exe 29 PID 2356 wrote to memory of 2752 2356 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2356 wrote to memory of 2752 2356 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2356 wrote to memory of 2752 2356 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2356 wrote to memory of 2752 2356 jhdfkldfhndfkjdfnbfklfnf.exe 30 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2448 2664 RegAsm.exe 32 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2664 wrote to memory of 2976 2664 RegAsm.exe 35 PID 2356 wrote to memory of 3004 2356 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2356 wrote to memory of 3004 2356 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2356 wrote to memory of 3004 2356 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2356 wrote to memory of 3004 2356 jhdfkldfhndfkjdfnbfklfnf.exe 37 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2664 wrote to memory of 2856 2664 RegAsm.exe 39 PID 2356 wrote to memory of 1476 2356 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2356 wrote to memory of 1476 2356 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2356 wrote to memory of 1476 2356 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2356 wrote to memory of 1476 2356 jhdfkldfhndfkjdfnbfklfnf.exe 41 PID 2356 wrote to memory of 1116 2356 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2356 wrote to memory of 1116 2356 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2356 wrote to memory of 1116 2356 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2356 wrote to memory of 1116 2356 jhdfkldfhndfkjdfnbfklfnf.exe 43 PID 2236 wrote to memory of 1732 2236 taskeng.exe 46 PID 2236 wrote to memory of 1732 2236 taskeng.exe 46 PID 2236 wrote to memory of 1732 2236 taskeng.exe 46 PID 2236 wrote to memory of 1732 2236 taskeng.exe 46 PID 2356 wrote to memory of 2620 2356 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2356 wrote to memory of 2620 2356 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2356 wrote to memory of 2620 2356 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2356 wrote to memory of 2620 2356 jhdfkldfhndfkjdfnbfklfnf.exe 49 PID 2356 wrote to memory of 1852 2356 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2356 wrote to memory of 1852 2356 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2356 wrote to memory of 1852 2356 jhdfkldfhndfkjdfnbfklfnf.exe 51 PID 2356 wrote to memory of 1852 2356 jhdfkldfhndfkjdfnbfklfnf.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11d5d0e3b01a9af1db9a5f9e653b2ef0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exeC:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8BCB.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA04F.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2752
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:3004
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1476
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1116
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2620
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1852
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1156
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2132
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1788
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:768
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2312
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:884
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1948
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2116
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:280
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1632
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFD14.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFDE0.tmp"4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpFE10.tmp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:2456
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1440
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1396
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1724
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:1848
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f3⤵
- Creates scheduled task(s)
PID:808
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F077E9DC-6E8D-479B-92D3-FB2B942A3C40} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1732
-
-
C:\ProgramData\winmgr119.exeC:\ProgramData\winmgr119.exe2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD51f5946c8f04bb34f9ab08514002d3b2c
SHA12bcedf7c848953711b03e32d9c8d64399fcb2c2e
SHA25643438697b4eb8b708068b454efc8d4f5d452d2966c1f314630ad1bf4ee325f60
SHA512ac3326e915dff6db5ee3b7e8a9aa9a8b453ee45fb4e3e2397a38376c7c64b2d47e4ad9573e3ae5401d266dcc160caf59e929b4910ca3b566a0638c9df295f9a8
-
Filesize
8B
MD5bf7db567ebf50a863401d43a5705bff1
SHA166a6e1e516c4774dbfafc013eb0aa398b37b0bd8
SHA25658758ee9a59edb45d73a9737f652605d4178bfea2d3d1f4dc776e94980cfbd66
SHA512212df73685f6d2806104d314db6bd8da260500e33071277dec7791503a656d752894ddffa4810e5d282ba5ca35088daacf419d1079bdbcc043d94147b1b3fa8e
-
Filesize
8B
MD5dec3a465561beb6fb39c71e129e70cd4
SHA14f18b981bedf9086e9108fdfdc0c138e53db2293
SHA25609edd6ea3fa87005f5328de8f3f4aa60281d9a4455c31b2020abf88f57c283bf
SHA5126c71e74f0b400f401ad5d0a1254616b7ecd9c627fcd380ec18e4bb8c77517d3a57500b517cbe33a0a982ebccd1da10b283efd601b497117301bb9d30865d14cf
-
Filesize
88B
MD50b187cb1c7efffd179c1b9d14c64f7c9
SHA1fe491fe4acbc3b8c43d0993bdaabdafde99b7be5
SHA2560c59e31bae265ee8bb01eca33a59de8b1fc44403fa5979b9bc21a6d8460eb6c8
SHA512df643da2f9e6b90b70e2144360657b0c2b9b4b0a552aba14a4f1c73b5e3b882b5d51c6373f91f5975454b3f9857e01cce8c0c02548e94add3ab8368fcf641f09
-
Filesize
2.6MB
MD54cb3643980d2659d41e289961e968c1a
SHA1a47d5c317f8a7a53d482e11e005f8b32bf4af2b6
SHA256c7f797f7bfb6a23b171245588830c3139dc9bf45d538c295574a79a9e6654350
SHA5128bdcd51006074234368f66ef429f30aa193164999dd9157bc2c9f7a1abc7befa50fde164d987a044124702ac58187ed7eb84f87034de58a2ee9cab59d76f1d49
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
399B
MD5e4bf4f7accc657622fe419c0d62419ab
SHA1c2856936dd3de05bad0da5ca94d6b521e40ab5a2
SHA256b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e
SHA51285dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431
-
Filesize
400B
MD5de4e5ff058882957cf8a3b5f839a031f
SHA10b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72
-
Filesize
391B
MD53525ea58bba48993ea0d01b65ea71381
SHA11b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA5125aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986
-
Filesize
2.6MB
MD500fdefae0eeb41e238a31f129d55f20f
SHA18c106ef33db72ccd60b008897dfb1ec72aa5ba7c
SHA2566c1470d3a8dfc943a840edf9fedfaa0aabae0c1a72a1bce82811aa5f1d01619d
SHA512979e5badfb1e093af29c6f457778a5efc568ed90fdea935a54cf285254ebea74f445a4539dc87deee2ed10a6d4398a007b331bf73366e9f4998d178e0ae15531