kpot | 37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2

General

Target

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
Size

1.2MB
MD5

64d8fe1068c8d5aabb1ff155fd992d10
SHA1

11cd6c1a21286bd2985c5ebdd6d21747ac2c340c
SHA256

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2
SHA512

c713b608e1d40441ab742d78cb5dea25beab06120eeaa76e6726d8dc960f809662a372a3e1087714444d85c3ec630074c4c86aa72a9eef29d031849a8ab97a0c
SSDEEP

24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1Sd8zG7u75+FmVf6IIwqEK9ZOsl:E5aIwC+Agr6S/FEAGsjiIIAK

Score

10^/10

kpot trickbot banker evasion execution stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	family_kpot

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2208-15-0x00000000025B0000-0x00000000025D9000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

Processes:

38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

pid	process
2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
760	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2860	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

Loads dropped DLL 2 IoCs

Processes:

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe

pid	process
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1364 sc.exe
2448 sc.exe
1252 sc.exe
2444 sc.exe

pid	process
1364	sc.exe
2448	sc.exe
1252	sc.exe
2444	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exepowershell.exepowershell.exe

pid	process
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
1384	powershell.exe
2292	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

description	pid	process
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeTcbPrivilege	760	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
Token: SeTcbPrivilege	2860	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

pid	process
2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
760	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2860	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.execmd.exe38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.execmd.execmd.exe

description	pid	process	target process
PID 2208 wrote to memory of 2592	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2592	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2592	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2592	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2616	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2616	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2616	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2616	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2732	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2732	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2732	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2732	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	cmd.exe
PID 2208 wrote to memory of 2548	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
PID 2208 wrote to memory of 2548	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
PID 2208 wrote to memory of 2548	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
PID 2208 wrote to memory of 2548	2208	37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
PID 2732 wrote to memory of 2292	2732	cmd.exe	powershell.exe
PID 2732 wrote to memory of 2292	2732	cmd.exe	powershell.exe
PID 2732 wrote to memory of 2292	2732	cmd.exe	powershell.exe
PID 2732 wrote to memory of 2292	2732	cmd.exe	powershell.exe
PID 2548 wrote to memory of 2404	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2404	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2404	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2404	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2616 wrote to memory of 2448	2616	cmd.exe	sc.exe
PID 2616 wrote to memory of 2448	2616	cmd.exe	sc.exe
PID 2616 wrote to memory of 2448	2616	cmd.exe	sc.exe
PID 2616 wrote to memory of 2448	2616	cmd.exe	sc.exe
PID 2548 wrote to memory of 2464	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2464	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2464	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2464	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2592 wrote to memory of 2444	2592	cmd.exe	sc.exe
PID 2592 wrote to memory of 2444	2592	cmd.exe	sc.exe
PID 2592 wrote to memory of 2444	2592	cmd.exe	sc.exe
PID 2592 wrote to memory of 2444	2592	cmd.exe	sc.exe
PID 2548 wrote to memory of 2800	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2800	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2800	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2800	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	cmd.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe
PID 2548 wrote to memory of 2828	2548	38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2444

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:2448

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
3⤵
PID:2404

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
PID:1364

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
3⤵
PID:2464

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
4⤵
- Launches sc.exe
PID:1252

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:2800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2828

C:\Windows\system32\taskeng.exe
taskeng.exe {0C628B54-6EF3-4CA3-926C-4DE8169EE5D0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:604

C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1072

C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2724

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9f6c7ea192323eca659ad6824c395f22

SHA1
9319f8d9b824e95e3e7be3f6241904ff7924a251

SHA256
403808007fc75bb176608f7821e45e71973318d204b9cfd3a29b5421f9ce8f6d

SHA512
8ceaf2446f985437c879282a7687f7764132e3e35df5e82a2d0bec678fbaec6e7250da7a5c44213900d786f15ceb922a00155b8350f45abcc9ddf57d740cdd43

Download Submit
C:\Users\Admin\AppData\Roaming\WinSocket\38c6279ce2ef4c01ab8490ccd36c1d7f22fc4c72ad3b0a2aecddf131cc4dddc2_NeikiAnalytict.exe
Filesize
1.2MB

MD5
64d8fe1068c8d5aabb1ff155fd992d10

SHA1
11cd6c1a21286bd2985c5ebdd6d21747ac2c340c

SHA256
37c5268ce2ef4c01ab7490ccd35c1d6f22fc4c62ad3b0a2aecddf131cc4dddc2

SHA512
c713b608e1d40441ab742d78cb5dea25beab06120eeaa76e6726d8dc960f809662a372a3e1087714444d85c3ec630074c4c86aa72a9eef29d031849a8ab97a0c

Download Submit
memory/760-70-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-67-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-68-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-69-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-66-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-71-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-72-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-73-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-74-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-75-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-76-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/760-65-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2208-13-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-15-0x00000000025B0000-0x00000000025D9000-memory.dmp

Filesize
164KB

Download
memory/2208-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-4-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-5-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-12-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2208-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2208-2-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2548-34-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-33-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-40-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2548-44-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2548-29-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-30-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-31-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-32-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-43-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2548-35-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-36-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-37-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-38-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2548-39-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2828-49-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2828-48-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2860-92-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2860-93-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads