njrat | 77af1c5d89e5426091051fc29887cce021a4bc4110f94aedc5342cbd5e49c300

General

Target

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
Size

8.7MB
MD5

7a3371af26d62dfdad19cc434531ae30
SHA1

c0bf27756bf9b8b6164ec41a3029eb931886955a
SHA256

77af1c5d89e5426091051fc29887cce021a4bc4110f94aedc5342cbd5e49c300
SHA512

773a6e66ae40f2a80f142b9621cb1ff0076cb05dcc63c4398a1c5ae60e4fca6f73f2f4882469d4230099ec11eb5bf44c4bbcca2870702f831e8b6b88d54f6f83
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbd:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmR

Score

10^/10

njrat jjj evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2904 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe

pid process

2596 winmgr107.exe
1544 winmgr107.exe
1572 winmgr107.exe
Loads dropped DLL 1 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe

pid process

2872 7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe

pid	process
2904	netsh.exe

pid	process
2596	winmgr107.exe
1544	winmgr107.exe
1572	winmgr107.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exewinmgr107.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	winmgr107.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\ProgramData\winmgr107.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winmgr107.exe

description pid process target process

PID 2596 set thread context of 2616 2596 winmgr107.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2596 set thread context of 2616	2596	winmgr107.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2900	schtasks.exe
1052	schtasks.exe
2240	schtasks.exe
1584	schtasks.exe
2184	schtasks.exe
376	schtasks.exe
1272	schtasks.exe
772	schtasks.exe
1632	schtasks.exe
1364	schtasks.exe
1292	schtasks.exe
2448	schtasks.exe
2852	schtasks.exe
2652	schtasks.exe
604	schtasks.exe
2008	schtasks.exe
1096	schtasks.exe
1320	schtasks.exe
3008	schtasks.exe
1776	schtasks.exe
2792	schtasks.exe
2388	schtasks.exe
1924	schtasks.exe
856	schtasks.exe
2200	schtasks.exe

NTFS ADS 4 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe

description	ioc	process
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File created	C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe:Zone.Identifier:$DATA	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exewinmgr107.exewinmgr107.exewinmgr107.exe

pid	process
2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
1544	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
1572	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe
2596	winmgr107.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe
Token: 33	2616	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2616	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.execmd.exewinmgr107.exeRegAsm.exetaskeng.exe

description	pid	process	target process
PID 2872 wrote to memory of 2536	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 2872 wrote to memory of 2536	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 2872 wrote to memory of 2536	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 2872 wrote to memory of 2536	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 2536 wrote to memory of 2656	2536	cmd.exe	NOTEPAD.EXE
PID 2536 wrote to memory of 2656	2536	cmd.exe	NOTEPAD.EXE
PID 2536 wrote to memory of 2656	2536	cmd.exe	NOTEPAD.EXE
PID 2536 wrote to memory of 2656	2536	cmd.exe	NOTEPAD.EXE
PID 2872 wrote to memory of 2596	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 2872 wrote to memory of 2596	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 2872 wrote to memory of 2596	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 2872 wrote to memory of 2596	2872	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2616	2596	winmgr107.exe	RegAsm.exe
PID 2596 wrote to memory of 2448	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2448	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2448	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2448	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2900	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2900	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2900	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2900	2596	winmgr107.exe	schtasks.exe
PID 2616 wrote to memory of 2904	2616	RegAsm.exe	netsh.exe
PID 2616 wrote to memory of 2904	2616	RegAsm.exe	netsh.exe
PID 2616 wrote to memory of 2904	2616	RegAsm.exe	netsh.exe
PID 2616 wrote to memory of 2904	2616	RegAsm.exe	netsh.exe
PID 2596 wrote to memory of 2792	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2792	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2792	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2792	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2388	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2388	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2388	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2388	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2184	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2184	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2184	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 2184	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 376	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 376	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 376	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 376	2596	winmgr107.exe	schtasks.exe
PID 2504 wrote to memory of 1544	2504	taskeng.exe	winmgr107.exe
PID 2504 wrote to memory of 1544	2504	taskeng.exe	winmgr107.exe
PID 2504 wrote to memory of 1544	2504	taskeng.exe	winmgr107.exe
PID 2504 wrote to memory of 1544	2504	taskeng.exe	winmgr107.exe
PID 2596 wrote to memory of 1272	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1272	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1272	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1272	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1292	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1292	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1292	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1292	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1924	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1924	2596	winmgr107.exe	schtasks.exe
PID 2596 wrote to memory of 1924	2596	winmgr107.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\7A3371~1.TXT
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe.txt
3⤵
PID:2656

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
0
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2904

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2448

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2388

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2184

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:376

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:772

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:604

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1320

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2240

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {94A215A6-08B9-4DE7-8225-7881A0D0943F} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe.txt
Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
\ProgramData\winmgr107.exe
Filesize
8.7MB

MD5
2bf71b84991dd4287e93d6490ef34c60

SHA1
984e65665e347293c39540b4578f05c746159dca

SHA256
68d2ab96c97ed625061635f6883d516c06e8f9dc17be1f9b6fc3ed7e3c84befa

SHA512
4c87848104de5f23dcbb75940b8125fa1dfbb1ce2efe192727ae2404e64c1e4fed67c7250e8e06064276cb373995ae8816bb4d49caf2b95ef7939b7d6c7e8d33

Download Submit
memory/2616-23-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2616-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-26-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2616-28-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2616-27-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads