adbb33e049bf586a1a9af7b968c9061183018149faa9f4cdfdd8831c543d7e22

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
Size

2.6MB
MD5

b2aefe9be1952a261220d2bab2f125e0
SHA1

36ce75250cf009627554c5dd4294273bbdd50d66
SHA256

adbb33e049bf586a1a9af7b968c9061183018149faa9f4cdfdd8831c543d7e22
SHA512

44a291274b6baee490678cc77f4e96b738d0d7cb0c366731b819eb8df93ccf74ed0537a748cd2057b9ef308cbd4b54d7cb7ec2f2d4bbda34e5d09601def8f0fb
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4e8:ObCjPKNqQEfsw43qtmVfq4r

Score

10^/10

collection discovery persistence spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.me.com
Port:
587
Username:
[email protected]
Password:
RICHARD205lord

Signatures

Executes dropped EXE 3 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

pid process

824 jhdfkldfhndfkjdfnbfklfnf.exe
2900 winmgr119.exe
2704 winmgr119.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
824	jhdfkldfhndfkjdfnbfklfnf.exe
2900	winmgr119.exe
2704	winmgr119.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/628-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/628-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/628-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/628-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/1364-26-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1364-27-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1364-28-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/1364-32-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 icanhazip.com
31 ipinfo.io

flow	ioc
29	icanhazip.com
31	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe	autoit_exe
C:\ProgramData\winmgr119.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 824 set thread context of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 2044 set thread context of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 set thread context of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 set thread context of 1180	2044	RegAsm.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4648	schtasks.exe
4932	schtasks.exe
4280	schtasks.exe
4980	schtasks.exe
4476	schtasks.exe
3340	schtasks.exe
2860	schtasks.exe
5016	schtasks.exe
1280	schtasks.exe
1240	schtasks.exe
3208	schtasks.exe
5000	schtasks.exe
1536	schtasks.exe
3628	schtasks.exe
2692	schtasks.exe
1404	schtasks.exe
2400	schtasks.exe
3060	schtasks.exe
4868	schtasks.exe
4396	schtasks.exe
3476	schtasks.exe
1592	schtasks.exe
4100	schtasks.exe
4564	schtasks.exe
2760	schtasks.exe
1172	schtasks.exe

NTFS ADS 4 IoCs

Processes:

b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe:Zone.Identifier:$DATA	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exewinmgr119.exe

pid	process
644	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
644	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2900	winmgr119.exe
2900	winmgr119.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
2044	RegAsm.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe
824	jhdfkldfhndfkjdfnbfklfnf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.execvtres.execvtres.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	2044	RegAsm.exe
Token: SeDebugPrivilege	628	cvtres.exe
Token: SeDebugPrivilege	1364	cvtres.exe
Token: SeDebugPrivilege	1180	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2044 RegAsm.exe

pid	process
2044	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 644 wrote to memory of 824	644	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 644 wrote to memory of 824	644	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 644 wrote to memory of 824	644	b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 824 wrote to memory of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 824 wrote to memory of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 824 wrote to memory of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 824 wrote to memory of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 824 wrote to memory of 2044	824	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 824 wrote to memory of 3060	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3060	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3060	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 628	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1364	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 2044 wrote to memory of 1180	2044	RegAsm.exe	cvtres.exe
PID 824 wrote to memory of 4100	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4100	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4100	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3340	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3340	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3340	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4868	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4868	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4868	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4932	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4932	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4932	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3628	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3628	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 3628	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 2860	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 2860	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 2860	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 5016	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 5016	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 5016	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4476	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4476	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4476	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4396	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4396	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4396	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4564	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4564	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 4564	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 1280	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 1280	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 824 wrote to memory of 1280	824	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2aefe9be1952a261220d2bab2f125e0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
0
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA47D.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA70E.tmp"
4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA76D.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4100

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3340

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4868

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3628

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2860

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4476

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2400

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1240

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5000

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4648

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1536

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
Filesize
2.6MB

MD5
a943b75f49a63a1b19e145e8b5a0d634

SHA1
e7b139747d1a29d781911ca7265f37680ea91d33

SHA256
f2f4787e093a3d903a7e06843165fc6b5f4060796698adfbdf228b1e9a14288e

SHA512
1067079eb67d66e17322cbb8d259b080f07cce4f64ab8acc68762905dbba1a7ef1cd3410b65a3b98af6d674bf50921addca933d34da7ac2190ddbc04e3044a2c

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749
Filesize
8B

MD5
66701113511e39e7a784377a0133c1e2

SHA1
07e8a904ba027cb70a336bd4fd2e29f198b1df30

SHA256
f2cfe58aed7589f55ba193565966b07f00b3f4b9e0be2694b718ffca0062b881

SHA512
3b90f0d6d9bb861fb175c5d1a2f2dff79d625d0ad5f65d25d45ea3f909aa70ce73fe5e49baa9a072f15fe4c431d1011ef70d2e5adbc131f0bc73054ce258bb6b

Download Submit
C:\ProgramData\winmgr119.exe
Filesize
2.6MB

MD5
010ebc99ca790640a15a1cd874dec1e2

SHA1
eaa89e05706b51d8fcb0051e777d281fb0c66ed5

SHA256
faa7c3fccb4bd1e3bb1c6ca8dfa21e55477fd50d0df9dafc4079cb44450640f2

SHA512
2b289efd8be30d4a73480fedcf727abd33acf59ac8b274d502e90d2e59ac1fde98e19a9052d5aa43479b56ec9df38ea353adc9f1a003fb15850ff142337a4389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA47D.tmp
Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA70E.tmp
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA76D.tmp
Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/628-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/628-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/628-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/628-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1180-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1180-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1180-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1364-27-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1364-28-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1364-32-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1364-26-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2044-11-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/2044-10-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/2044-42-0x0000000073162000-0x0000000073163000-memory.dmp

Filesize
4KB

Download
memory/2044-44-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/2044-43-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/2044-9-0x0000000073162000-0x0000000073163000-memory.dmp

Filesize
4KB

Download
memory/2044-8-0x0000000000900000-0x00000000009CA000-memory.dmp

Filesize
808KB

Download