3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
Size

19KB
MD5

fe2c9c26d70c7a4d2c46b024a6a12a40
SHA1

e1a3da5e395e75524693dddd8aef938aa02161d5
SHA256

3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79
SHA512

0099e9f97d3813326f445e804405e9fb39bee28b6bae7baddb228ae762ce02930ed04aff20fe500ee5c823b7b325031a3b47d04b81fe1f02db4e0dc764bca309
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5Q0yQGU2LL/:g5BOFKksO1mE9B77777J77c77c77c71G

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107B6AA.exe\""	107B6AA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107B6AA.exe\""	107B6AARQRVRU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\107B6AA.exe\""	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe

Executes dropped EXE 5 IoCs

pid	Process
936	107B6AA.exe
712	107B6AARQRVRU.exe
2024	107B6AARQRVRU.exe
948	107B6AA.exe
3456	107B6AA.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4896-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0008000000023402-7.dat	upx
behavioral2/memory/936-10-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-15-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x0007000000023406-14.dat	upx
behavioral2/memory/2024-24-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/948-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4896-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3456-35-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-38-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-39-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-41-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-42-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-49-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-65-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/936-66-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/712-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\107B6AA.exe = "C:\\Windows\\107B6AA.exe"	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\107B6AA.exe = "C:\\Windows\\107B6AA.exe"	107B6AA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\107B6AA.exe = "C:\\Windows\\107B6AA.exe"	107B6AARQRVRU.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\107B6AA.exe	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
File opened for modification	C:\Windows\107B6AARQRVRU.exe	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
4652	TASKKILL.exe
4536	TASKKILL.exe
5416	TASKKILL.exe
5704	TASKKILL.exe
756	TASKKILL.exe
3900	TASKKILL.exe
5920	TASKKILL.exe
3188	TASKKILL.exe
1920	TASKKILL.exe
492	TASKKILL.exe
2340	TASKKILL.exe
1948	TASKKILL.exe
1860	TASKKILL.exe
4376	TASKKILL.exe
1900	TASKKILL.exe
1004	TASKKILL.exe
1872	TASKKILL.exe
1580	TASKKILL.exe
1380	TASKKILL.exe
2292	TASKKILL.exe
3108	TASKKILL.exe
4204	TASKKILL.exe
5148	TASKKILL.exe
5220	TASKKILL.exe
1984	TASKKILL.exe
5076	TASKKILL.exe
4064	TASKKILL.exe
4972	TASKKILL.exe
4248	TASKKILL.exe
2556	TASKKILL.exe
4272	TASKKILL.exe
3372	TASKKILL.exe
3752	TASKKILL.exe
5376	TASKKILL.exe
1572	TASKKILL.exe
5688	TASKKILL.exe
6088	TASKKILL.exe
3612	TASKKILL.exe
2424	TASKKILL.exe
1804	TASKKILL.exe
4852	TASKKILL.exe
1260	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	6088	TASKKILL.exe
Token: SeDebugPrivilege	3612	TASKKILL.exe
Token: SeDebugPrivilege	1860	TASKKILL.exe
Token: SeDebugPrivilege	4204	TASKKILL.exe
Token: SeDebugPrivilege	2424	TASKKILL.exe
Token: SeDebugPrivilege	3108	TASKKILL.exe
Token: SeDebugPrivilege	1804	TASKKILL.exe
Token: SeDebugPrivilege	4272	TASKKILL.exe
Token: SeDebugPrivilege	1948	TASKKILL.exe
Token: SeDebugPrivilege	5376	TASKKILL.exe
Token: SeDebugPrivilege	4652	TASKKILL.exe
Token: SeDebugPrivilege	1984	TASKKILL.exe
Token: SeDebugPrivilege	3188	TASKKILL.exe
Token: SeDebugPrivilege	2556	TASKKILL.exe
Token: SeDebugPrivilege	1572	TASKKILL.exe
Token: SeDebugPrivilege	5920	TASKKILL.exe
Token: SeDebugPrivilege	1580	TASKKILL.exe
Token: SeDebugPrivilege	3900	TASKKILL.exe
Token: SeDebugPrivilege	4536	TASKKILL.exe
Token: SeDebugPrivilege	1900	TASKKILL.exe
Token: SeDebugPrivilege	3372	TASKKILL.exe
Token: SeDebugPrivilege	1260	TASKKILL.exe
Token: SeDebugPrivilege	5148	TASKKILL.exe
Token: SeDebugPrivilege	1872	TASKKILL.exe
Token: SeDebugPrivilege	756	TASKKILL.exe
Token: SeDebugPrivilege	5416	TASKKILL.exe
Token: SeDebugPrivilege	3752	TASKKILL.exe
Token: SeDebugPrivilege	4248	TASKKILL.exe
Token: SeDebugPrivilege	5076	TASKKILL.exe
Token: SeDebugPrivilege	4376	TASKKILL.exe
Token: SeDebugPrivilege	4064	TASKKILL.exe
Token: SeDebugPrivilege	1380	TASKKILL.exe
Token: SeDebugPrivilege	2292	TASKKILL.exe
Token: SeDebugPrivilege	5220	TASKKILL.exe
Token: SeDebugPrivilege	4852	TASKKILL.exe
Token: SeDebugPrivilege	5688	TASKKILL.exe
Token: SeDebugPrivilege	2340	TASKKILL.exe
Token: SeDebugPrivilege	1004	TASKKILL.exe
Token: SeDebugPrivilege	1920	TASKKILL.exe
Token: SeDebugPrivilege	5704	TASKKILL.exe
Token: SeDebugPrivilege	492	TASKKILL.exe
Token: SeDebugPrivilege	4972	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
936	107B6AA.exe
712	107B6AARQRVRU.exe
2024	107B6AARQRVRU.exe
948	107B6AA.exe
3456	107B6AA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 6088	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	83
PID 4896 wrote to memory of 6088	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	83
PID 4896 wrote to memory of 6088	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	83
PID 4896 wrote to memory of 1804	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	84
PID 4896 wrote to memory of 1804	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	84
PID 4896 wrote to memory of 1804	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	84
PID 4896 wrote to memory of 3612	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	85
PID 4896 wrote to memory of 3612	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	85
PID 4896 wrote to memory of 3612	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	85
PID 4896 wrote to memory of 3108	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	86
PID 4896 wrote to memory of 3108	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	86
PID 4896 wrote to memory of 3108	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	86
PID 4896 wrote to memory of 2424	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	87
PID 4896 wrote to memory of 2424	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	87
PID 4896 wrote to memory of 2424	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	87
PID 4896 wrote to memory of 2556	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	88
PID 4896 wrote to memory of 2556	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	88
PID 4896 wrote to memory of 2556	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	88
PID 4896 wrote to memory of 5920	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	89
PID 4896 wrote to memory of 5920	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	89
PID 4896 wrote to memory of 5920	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	89
PID 4896 wrote to memory of 3900	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	90
PID 4896 wrote to memory of 3900	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	90
PID 4896 wrote to memory of 3900	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	90
PID 4896 wrote to memory of 1948	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	91
PID 4896 wrote to memory of 1948	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	91
PID 4896 wrote to memory of 1948	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	91
PID 4896 wrote to memory of 4272	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	92
PID 4896 wrote to memory of 4272	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	92
PID 4896 wrote to memory of 4272	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	92
PID 4896 wrote to memory of 1860	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	93
PID 4896 wrote to memory of 1860	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	93
PID 4896 wrote to memory of 1860	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	93
PID 4896 wrote to memory of 3372	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	95
PID 4896 wrote to memory of 3372	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	95
PID 4896 wrote to memory of 3372	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	95
PID 4896 wrote to memory of 4376	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	96
PID 4896 wrote to memory of 4376	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	96
PID 4896 wrote to memory of 4376	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	96
PID 4896 wrote to memory of 4204	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	97
PID 4896 wrote to memory of 4204	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	97
PID 4896 wrote to memory of 4204	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	97
PID 4896 wrote to memory of 936	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	106
PID 4896 wrote to memory of 936	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	106
PID 4896 wrote to memory of 936	4896	3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe	106
PID 936 wrote to memory of 1984	936	107B6AA.exe	112
PID 936 wrote to memory of 1984	936	107B6AA.exe	112
PID 936 wrote to memory of 1984	936	107B6AA.exe	112
PID 936 wrote to memory of 3188	936	107B6AA.exe	113
PID 936 wrote to memory of 3188	936	107B6AA.exe	113
PID 936 wrote to memory of 3188	936	107B6AA.exe	113
PID 936 wrote to memory of 1572	936	107B6AA.exe	114
PID 936 wrote to memory of 1572	936	107B6AA.exe	114
PID 936 wrote to memory of 1572	936	107B6AA.exe	114
PID 936 wrote to memory of 5376	936	107B6AA.exe	115
PID 936 wrote to memory of 5376	936	107B6AA.exe	115
PID 936 wrote to memory of 5376	936	107B6AA.exe	115
PID 936 wrote to memory of 4852	936	107B6AA.exe	116
PID 936 wrote to memory of 4852	936	107B6AA.exe	116
PID 936 wrote to memory of 4852	936	107B6AA.exe	116
PID 936 wrote to memory of 4652	936	107B6AA.exe	117
PID 936 wrote to memory of 4652	936	107B6AA.exe	117
PID 936 wrote to memory of 4652	936	107B6AA.exe	117
PID 936 wrote to memory of 1900	936	107B6AA.exe	118

C:\Users\Admin\AppData\Local\Temp\3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3418f8996240828462f20e98b25ddf0c767a118046486be0945b07ef09a6ea79_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6088
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\107B6AA.exe
  C:\Windows\107B6AA.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5376
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4652
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5148
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3752
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5220
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\107B6AARQRVRU.exe
    C:\Windows\107B6AARQRVRU.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:712
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5688
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5704
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1872
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5416
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4248
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2340
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:492
  - - C:\Windows\107B6AARQRVRU.exe
      C:\Windows\107B6AARQRVRU.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2024
  - - C:\Windows\107B6AA.exe
      C:\Windows\107B6AA.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:948
- - C:\Windows\107B6AA.exe
    C:\Windows\107B6AA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\107B6AA.exe

Filesize
19KB

MD5
42cf81866a372c8df579c5378ac14459

SHA1
8e34eb43c2c45600d524e4eef4e49f1b69cdaed5

SHA256
9d41defc74379ca783a7856e1aeeffb466fd55749c4f7d8a917a819425318eb3

SHA512
e2aae622ea71b5d129154470b861e29b544faf2c4070e7c4744ae5425c517be60a191d31b766e0d4bb0051a9bf3230ac8d5d296a96d196b2133711ae10dde637

Download Submit
C:\Windows\107B6AARQRVRU.exe

Filesize
20KB

MD5
2d82b3a0cd50fd4a2e3e9d01e0e7fc71

SHA1
11c328f126f0c9b67cd26f41de71630195a12e56

SHA256
5d8385991b77c78cae12332627dc53551cd5530bf276f5d523de4a30afad3ec6

SHA512
d000877b26bdedaa716a4ea887df56adc6f4c0c3ff3a23884528f040721b2c2b4ce0c0c5f08253fb8197654593198ad661fc52b00285f09709fdf3f0f3253ae6

Download Submit
memory/712-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/712-15-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-42-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/936-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/948-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2024-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3456-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4896-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4896-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads