kpot | 08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3

General

Target

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
Size

1.4MB
MD5

98143cf3aafa5f8f370d552fb99fe360
SHA1

67cc505864cf76a4a448c77230fbb9686be993c6
SHA256

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3
SHA512

4462b54386fc45613be421b4f366ccc86ba592334e18d7952c5ea03801ac1c39526c4ea07e80203708a3ce8eb631478485f095ac50bebaa8691aff45fb1c442f
SSDEEP

24576:zQ5aILMCfmAUjzX677WOMcT/X2dI7T2FAoUcUOp6doF5ES/mfuOdfHhGEi:E5aIwC+Agr6tdlmU1/eHKO

Score

10^/10

kpot trickbot banker evasion execution stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2232-15-0x00000000008A0000-0x00000000008C9000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

Processes:

09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

pid	process
2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2120	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
1620	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

Loads dropped DLL 2 IoCs

Processes:

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe

pid	process
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2620 sc.exe
1944 sc.exe
2924 sc.exe
2828 sc.exe

pid	process
2620	sc.exe
1944	sc.exe
2924	sc.exe
2828	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exepowershell.exepowershell.exe

pid	process
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2512	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

description	pid	process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeTcbPrivilege	2120	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
Token: SeTcbPrivilege	1620	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

pid	process
2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2120	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
1620	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.execmd.execmd.exe09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.execmd.exe

description	pid	process	target process
PID 2232 wrote to memory of 2324	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2324	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2324	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2324	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2388	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2388	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2388	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2388	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2640	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2640	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2640	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2640	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	cmd.exe
PID 2232 wrote to memory of 2668	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
PID 2232 wrote to memory of 2668	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
PID 2232 wrote to memory of 2668	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
PID 2232 wrote to memory of 2668	2232	08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
PID 2324 wrote to memory of 2620	2324	cmd.exe	sc.exe
PID 2324 wrote to memory of 2620	2324	cmd.exe	sc.exe
PID 2324 wrote to memory of 2620	2324	cmd.exe	sc.exe
PID 2324 wrote to memory of 2620	2324	cmd.exe	sc.exe
PID 2388 wrote to memory of 2828	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2828	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2828	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2828	2388	cmd.exe	sc.exe
PID 2668 wrote to memory of 2680	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2680	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2680	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2680	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2808	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2808	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2808	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2808	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2624	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2624	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2624	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 2624	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	cmd.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2640 wrote to memory of 2512	2640	cmd.exe	powershell.exe
PID 2640 wrote to memory of 2512	2640	cmd.exe	powershell.exe
PID 2640 wrote to memory of 2512	2640	cmd.exe	powershell.exe
PID 2640 wrote to memory of 2512	2640	cmd.exe	powershell.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe
PID 2668 wrote to memory of 1648	2668	09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2620

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:2828

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
3⤵
PID:2680

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
PID:2924

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
3⤵
PID:2808

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
4⤵
- Launches sc.exe
PID:1944

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {7653457A-0AAE-488A-9859-164028D3A217} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1700

C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1444

C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1644

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5b4db5b2f4c0c7d0e1f876fd0f85365f

SHA1
9b576619e66121f4478cb81fbbf950cfa594ba9c

SHA256
a389101feec4ecefbb429ec4b71fc2a9c9f9d19b0064d42da7364d416b86289d

SHA512
4750d8cb7e377ce38cceb58fba46719c0c19306d7d4eede4cb3b596011a64cc55831481ac2a924bf785e27abf108c0973ee35ff09b1531a8c2e421577d40ba4a

Download Submit
\Users\Admin\AppData\Roaming\WinSocket\09ad7eb8fef39a9c076a799fd4344f1ff46cd1e39f6379a6ba32afedffc087c3_NeikiAnalytict.exe
Filesize
1.4MB

MD5
98143cf3aafa5f8f370d552fb99fe360

SHA1
67cc505864cf76a4a448c77230fbb9686be993c6

SHA256
08ad6eb7fef38a9c065a688fd4344f1ff45cd1e39f5369a5ba32afedffc076c3

SHA512
4462b54386fc45613be421b4f366ccc86ba592334e18d7952c5ea03801ac1c39526c4ea07e80203708a3ce8eb631478485f095ac50bebaa8691aff45fb1c442f

Download Submit
memory/1620-92-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1620-93-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1648-49-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2120-71-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-74-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-72-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-73-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-65-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-66-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-67-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-68-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-69-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-70-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2120-75-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2232-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-12-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2232-15-0x00000000008A0000-0x00000000008C9000-memory.dmp

Filesize
164KB

Download
memory/2232-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2232-17-0x0000000000421000-0x0000000000422000-memory.dmp

Filesize
4KB

Download
memory/2668-44-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2668-30-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-32-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-33-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-34-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-35-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-36-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-39-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-38-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-37-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-40-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2668-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2668-41-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads