3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 10:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
Size

19KB
MD5

fe2c9c26d70c7a4d2c46b024a6a12a40
SHA1

e1a3da5e395e75524693dddd8aef938aa02161d5
SHA256

3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79
SHA512

0099e9f97d3813326f445e804405e9fb39bee28b6bae7baddb228ae762ce02930ed04aff20fe500ee5c823b7b325031a3b47d04b81fe1f02db4e0dc764bca309
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5Q0yQGU2LL/:g5BOFKksO1mE9B77777J77c77c77c71G

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\14004BA.exe\""	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\14004BA.exe\""	14004BA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\14004BA.exe\""	14004BARQRVRX.exe

Executes dropped EXE 5 IoCs

pid	Process
2712	14004BA.exe
1248	14004BARQRVRX.exe
2160	14004BARQRVRX.exe
3064	14004BA.exe
1976	14004BA.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x002e000000014698-7.dat	upx
behavioral1/memory/2712-16-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x0009000000014a94-20.dat	upx
behavioral1/memory/1248-21-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2160-27-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2160-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/3064-36-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1976-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1976-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2068-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-66-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-69-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-68-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-70-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-72-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-73-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-74-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1248-75-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2712-76-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\14004BA.exe = "C:\\Windows\\14004BA.exe"	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\14004BA.exe = "C:\\Windows\\14004BA.exe"	14004BA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\14004BA.exe = "C:\\Windows\\14004BA.exe"	14004BARQRVRX.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\14004BA.exe	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
File opened for modification	C:\Windows\14004BARQRVRX.exe	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
480	TASKKILL.exe
2604	TASKKILL.exe
2300	TASKKILL.exe
2596	TASKKILL.exe
2640	TASKKILL.exe
2660	TASKKILL.exe
2756	TASKKILL.exe
2664	TASKKILL.exe
1704	TASKKILL.exe
1624	TASKKILL.exe
2076	TASKKILL.exe
2844	TASKKILL.exe
2264	TASKKILL.exe
2512	TASKKILL.exe
760	TASKKILL.exe
1792	TASKKILL.exe
2824	TASKKILL.exe
664	TASKKILL.exe
2668	TASKKILL.exe
1804	TASKKILL.exe
3008	TASKKILL.exe
2548	TASKKILL.exe
328	TASKKILL.exe
1296	TASKKILL.exe
1712	TASKKILL.exe
2016	TASKKILL.exe
2616	TASKKILL.exe
2600	TASKKILL.exe
2620	TASKKILL.exe
2324	TASKKILL.exe
2172	TASKKILL.exe
1632	TASKKILL.exe
2652	TASKKILL.exe
1932	TASKKILL.exe
1824	TASKKILL.exe
1848	TASKKILL.exe
1076	TASKKILL.exe
2052	TASKKILL.exe
1332	TASKKILL.exe
1200	TASKKILL.exe
1516	TASKKILL.exe
376	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	TASKKILL.exe
Token: SeDebugPrivilege	2640	TASKKILL.exe
Token: SeDebugPrivilege	2652	TASKKILL.exe
Token: SeDebugPrivilege	2756	TASKKILL.exe
Token: SeDebugPrivilege	2844	TASKKILL.exe
Token: SeDebugPrivilege	2512	TASKKILL.exe
Token: SeDebugPrivilege	2596	TASKKILL.exe
Token: SeDebugPrivilege	3008	TASKKILL.exe
Token: SeDebugPrivilege	2264	TASKKILL.exe
Token: SeDebugPrivilege	2664	TASKKILL.exe
Token: SeDebugPrivilege	2616	TASKKILL.exe
Token: SeDebugPrivilege	2824	TASKKILL.exe
Token: SeDebugPrivilege	760	TASKKILL.exe
Token: SeDebugPrivilege	2660	TASKKILL.exe
Token: SeDebugPrivilege	664	TASKKILL.exe
Token: SeDebugPrivilege	2620	TASKKILL.exe
Token: SeDebugPrivilege	2548	TASKKILL.exe
Token: SeDebugPrivilege	1932	TASKKILL.exe
Token: SeDebugPrivilege	2668	TASKKILL.exe
Token: SeDebugPrivilege	1824	TASKKILL.exe
Token: SeDebugPrivilege	1712	TASKKILL.exe
Token: SeDebugPrivilege	480	TASKKILL.exe
Token: SeDebugPrivilege	1296	TASKKILL.exe
Token: SeDebugPrivilege	2604	TASKKILL.exe
Token: SeDebugPrivilege	328	TASKKILL.exe
Token: SeDebugPrivilege	2324	TASKKILL.exe
Token: SeDebugPrivilege	1076	TASKKILL.exe
Token: SeDebugPrivilege	2600	TASKKILL.exe
Token: SeDebugPrivilege	1848	TASKKILL.exe
Token: SeDebugPrivilege	2300	TASKKILL.exe
Token: SeDebugPrivilege	2052	TASKKILL.exe
Token: SeDebugPrivilege	2016	TASKKILL.exe
Token: SeDebugPrivilege	1632	TASKKILL.exe
Token: SeDebugPrivilege	1704	TASKKILL.exe
Token: SeDebugPrivilege	2172	TASKKILL.exe
Token: SeDebugPrivilege	1804	TASKKILL.exe
Token: SeDebugPrivilege	1332	TASKKILL.exe
Token: SeDebugPrivilege	1200	TASKKILL.exe
Token: SeDebugPrivilege	1792	TASKKILL.exe
Token: SeDebugPrivilege	376	TASKKILL.exe
Token: SeDebugPrivilege	1624	TASKKILL.exe
Token: SeDebugPrivilege	1516	TASKKILL.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
2712	14004BA.exe
1248	14004BARQRVRX.exe
2160	14004BARQRVRX.exe
3064	14004BA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2076	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2076	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2076	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 2076	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	28
PID 2068 wrote to memory of 3008	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 3008	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 3008	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 3008	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	29
PID 2068 wrote to memory of 2596	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	31
PID 2068 wrote to memory of 2596	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	31
PID 2068 wrote to memory of 2596	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	31
PID 2068 wrote to memory of 2596	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	31
PID 2068 wrote to memory of 2844	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	32
PID 2068 wrote to memory of 2844	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	32
PID 2068 wrote to memory of 2844	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	32
PID 2068 wrote to memory of 2844	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	32
PID 2068 wrote to memory of 2264	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	34
PID 2068 wrote to memory of 2264	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	34
PID 2068 wrote to memory of 2264	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	34
PID 2068 wrote to memory of 2264	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	34
PID 2068 wrote to memory of 2548	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	37
PID 2068 wrote to memory of 2548	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	37
PID 2068 wrote to memory of 2548	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	37
PID 2068 wrote to memory of 2548	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	37
PID 2068 wrote to memory of 2512	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	38
PID 2068 wrote to memory of 2512	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	38
PID 2068 wrote to memory of 2512	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	38
PID 2068 wrote to memory of 2512	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	38
PID 2068 wrote to memory of 2640	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	40
PID 2068 wrote to memory of 2640	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	40
PID 2068 wrote to memory of 2640	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	40
PID 2068 wrote to memory of 2640	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	40
PID 2068 wrote to memory of 2660	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	41
PID 2068 wrote to memory of 2660	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	41
PID 2068 wrote to memory of 2660	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	41
PID 2068 wrote to memory of 2660	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	41
PID 2068 wrote to memory of 2652	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	44
PID 2068 wrote to memory of 2652	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	44
PID 2068 wrote to memory of 2652	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	44
PID 2068 wrote to memory of 2652	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	44
PID 2068 wrote to memory of 2756	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	45
PID 2068 wrote to memory of 2756	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	45
PID 2068 wrote to memory of 2756	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	45
PID 2068 wrote to memory of 2756	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	45
PID 2068 wrote to memory of 2616	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	47
PID 2068 wrote to memory of 2616	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	47
PID 2068 wrote to memory of 2616	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	47
PID 2068 wrote to memory of 2616	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	47
PID 2068 wrote to memory of 1932	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	48
PID 2068 wrote to memory of 1932	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	48
PID 2068 wrote to memory of 1932	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	48
PID 2068 wrote to memory of 1932	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	48
PID 2068 wrote to memory of 2600	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	49
PID 2068 wrote to memory of 2600	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	49
PID 2068 wrote to memory of 2600	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	49
PID 2068 wrote to memory of 2600	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	49
PID 2068 wrote to memory of 2712	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	51
PID 2068 wrote to memory of 2712	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	51
PID 2068 wrote to memory of 2712	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	51
PID 2068 wrote to memory of 2712	2068	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	51
PID 2712 wrote to memory of 2824	2712	14004BA.exe	57
PID 2712 wrote to memory of 2824	2712	14004BA.exe	57
PID 2712 wrote to memory of 2824	2712	14004BA.exe	57
PID 2712 wrote to memory of 2824	2712	14004BA.exe	57

C:\Users\Admin\AppData\Local\Temp\3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\14004BA.exe
  C:\Windows\14004BA.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:664
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\14004BARQRVRX.exe
    C:\Windows\14004BARQRVRX.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1248
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1332
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2016
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1200
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1624
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:376
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\14004BARQRVRX.exe
      C:\Windows\14004BARQRVRX.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2160
  - - C:\Windows\14004BA.exe
      C:\Windows\14004BA.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3064
- - C:\Windows\14004BA.exe
    C:\Windows\14004BA.exe
    3⤵
    - Executes dropped EXE
    PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\14004BA.exe

Filesize
19KB

MD5
249036db540b8bd183a417139c8bff23

SHA1
4eba8c7937cbc03794fb0e176dcb312336166ca4

SHA256
e1f6acabdb0d9263986e5651f954ff4b1ebe5573f0f06453745435bd4b25b2fb

SHA512
ef204a853c3e3eedd25404a022c449c853e32942e54d486a0e457586e495654d273b1ea09f1cc66200998bf1eac4cd6e94dd8e75df11d774f411ce54c2ad67d3

Download Submit
C:\Windows\14004BARQRVRX.exe

Filesize
23KB

MD5
888f7134d124b28e9d5849ff6391c7c8

SHA1
d970403bdfb3c1d430dbe0394ab99ad09171fb03

SHA256
93b8c3d05dc16af307c4d3f5e1975d19b40f08105ed515050167dcd3b4741618

SHA512
3a09d766149b671554f4092eb3b4898a6500416736a91a208c1ce38889018f3ef0355406ebf43613c1d790f1eeeec09435fdb13eaafc3c1fce7e457785f110cf

Download Submit
memory/1248-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-75-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-73-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-69-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-30-0x00000000003E0000-0x00000000003EF000-memory.dmp

Filesize
60KB

Download
memory/1248-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-21-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1248-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1976-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1976-42-0x0000000077540000-0x000000007763A000-memory.dmp

Filesize
1000KB

Download
memory/1976-41-0x0000000077420000-0x000000007753F000-memory.dmp

Filesize
1.1MB

Download
memory/1976-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2068-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2068-15-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2068-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2068-13-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2160-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2160-27-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-49-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2712-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-50-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2712-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-76-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-18-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2712-68-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-72-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-19-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2712-74-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2712-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3064-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.