njrat | 77af1c5d89e5426091051fc29887cce021a4bc4110f94aedc5342cbd5e49c300

General

Target

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
Size

8.7MB
MD5

7a3371af26d62dfdad19cc434531ae30
SHA1

c0bf27756bf9b8b6164ec41a3029eb931886955a
SHA256

77af1c5d89e5426091051fc29887cce021a4bc4110f94aedc5342cbd5e49c300
SHA512

773a6e66ae40f2a80f142b9621cb1ff0076cb05dcc63c4398a1c5ae60e4fca6f73f2f4882469d4230099ec11eb5bf44c4bbcca2870702f831e8b6b88d54f6f83
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbd:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmR

Score

10^/10

njrat jjj evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1620 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 3 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe

pid process

4444 winmgr107.exe
100 winmgr107.exe
2156 winmgr107.exe

pid	process
1620	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4444	winmgr107.exe
100	winmgr107.exe
2156	winmgr107.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exewinmgr107.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	winmgr107.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\winmgr107.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winmgr107.exe

description pid process target process

PID 4444 set thread context of 3736 4444 winmgr107.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4444 set thread context of 3736	4444	winmgr107.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2112	schtasks.exe
3480	schtasks.exe
4372	schtasks.exe
2696	schtasks.exe
2896	schtasks.exe
728	schtasks.exe
2368	schtasks.exe
2496	schtasks.exe
1184	schtasks.exe
1644	schtasks.exe
900	schtasks.exe
3972	schtasks.exe
1392	schtasks.exe
1896	schtasks.exe
632	schtasks.exe
2764	schtasks.exe
2492	schtasks.exe
3624	schtasks.exe
1436	schtasks.exe
3868	schtasks.exe
1644	schtasks.exe
2016	schtasks.exe
2388	schtasks.exe
1460	schtasks.exe
3592	schtasks.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	cmd.exe

NTFS ADS 4 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exewinmgr107.exewinmgr107.exewinmgr107.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe:Zone.Identifier:$DATA	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exewinmgr107.exewinmgr107.exewinmgr107.exe

pid	process
540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
100	winmgr107.exe
100	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
2156	winmgr107.exe
2156	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe
4444	winmgr107.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe
Token: 33	3736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	3736	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.execmd.exewinmgr107.exeRegAsm.exe

description	pid	process	target process
PID 540 wrote to memory of 3592	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 540 wrote to memory of 3592	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 540 wrote to memory of 3592	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 3880	3592	cmd.exe	NOTEPAD.EXE
PID 3592 wrote to memory of 3880	3592	cmd.exe	NOTEPAD.EXE
PID 3592 wrote to memory of 3880	3592	cmd.exe	NOTEPAD.EXE
PID 540 wrote to memory of 4444	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 540 wrote to memory of 4444	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 540 wrote to memory of 4444	540	7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe	winmgr107.exe
PID 4444 wrote to memory of 3736	4444	winmgr107.exe	RegAsm.exe
PID 4444 wrote to memory of 3736	4444	winmgr107.exe	RegAsm.exe
PID 4444 wrote to memory of 3736	4444	winmgr107.exe	RegAsm.exe
PID 4444 wrote to memory of 3736	4444	winmgr107.exe	RegAsm.exe
PID 4444 wrote to memory of 3736	4444	winmgr107.exe	RegAsm.exe
PID 4444 wrote to memory of 4372	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 4372	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 4372	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 900	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 900	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 900	4444	winmgr107.exe	schtasks.exe
PID 3736 wrote to memory of 1620	3736	RegAsm.exe	netsh.exe
PID 3736 wrote to memory of 1620	3736	RegAsm.exe	netsh.exe
PID 3736 wrote to memory of 1620	3736	RegAsm.exe	netsh.exe
PID 4444 wrote to memory of 632	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 632	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 632	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2696	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2696	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2696	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2764	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2764	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2764	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1460	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1460	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1460	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3972	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3972	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3972	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3868	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3868	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3868	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3592	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3592	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 3592	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2896	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2896	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2896	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 728	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 728	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 728	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2112	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2112	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2112	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1644	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1644	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1644	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1392	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1392	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1392	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2492	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2492	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 2492	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1436	4444	winmgr107.exe	schtasks.exe
PID 4444 wrote to memory of 1436	4444	winmgr107.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\7A3371~1.TXT
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe.txt
3⤵
PID:3880

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
0
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1620

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:632

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2764

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3868

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3592

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:728

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2492

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3624

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2496

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1184

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:1644

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:3480

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
3⤵
- Creates scheduled task(s)
PID:2388

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:100

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe.txt
Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
C:\ProgramData\winmgr107.exe
Filesize
8.7MB

MD5
d1d2571c16a979f1faa143c5dbd02a04

SHA1
e2b0d6b05675cd9b7969ec5f4f60961451bd612d

SHA256
608d58a53408f7e333a86298bc64ddab87df383edda54b4cecb2dc13fd22f282

SHA512
9bb9f9aedc63940b42eb4c3bf062a0d7b73d9780e6e720fa46bcd8580d6b01318b6318f92136fe791dbad2f33d5ecd0f7d28c3b3d4453d0257364daa2d65ad70

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a3371af26d62dfdad19cc434531ae30_NeikiAnalytics.exe
Filesize
8.7MB

MD5
7a3371af26d62dfdad19cc434531ae30

SHA1
c0bf27756bf9b8b6164ec41a3029eb931886955a

SHA256
77af1c5d89e5426091051fc29887cce021a4bc4110f94aedc5342cbd5e49c300

SHA512
773a6e66ae40f2a80f142b9621cb1ff0076cb05dcc63c4398a1c5ae60e4fca6f73f2f4882469d4230099ec11eb5bf44c4bbcca2870702f831e8b6b88d54f6f83

Download Submit
memory/3736-15-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads