982e2436131dae4568ae6f20fd60221f9610862c0c0cf69adf081a4abd5f5011

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
Size

20KB
MD5

0f19b5aac8ff795273ae813dcb821fd0
SHA1

b0b04c18534e8c9a3bda9f74578eac8db64e326a
SHA256

982e2436131dae4568ae6f20fd60221f9610862c0c0cf69adf081a4abd5f5011
SHA512

04795462d1e796a74e377d8cc613fc7383f7f5db07044bc71986f17025c5b9bcc6e1bdfb238e830f5f9be244ee4295de719e00053ad9151d26bd754ff1211428
SSDEEP

384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh52oKC4S:g5BOFKksO1mE9B77777J77c77c77c71f

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3E3B1CD.exe\""	3E3B1CDRZTVVT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3E3B1CD.exe\""	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\3E3B1CD.exe\""	3E3B1CD.exe

Executes dropped EXE 5 IoCs

pid	Process
4920	3E3B1CD.exe
1872	3E3B1CDRZTVVT.exe
3704	3E3B1CDRZTVVT.exe
680	3E3B1CD.exe
4616	3E3B1CD.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x000700000002342a-7.dat	upx
behavioral2/files/0x0007000000023429-9.dat	upx
behavioral2/memory/3704-19-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3704-24-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/680-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4820-37-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4616-35-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-38-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-39-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-40-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-41-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-42-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-43-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-45-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-44-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-47-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-46-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-48-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-49-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-50-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-51-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-52-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-53-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-54-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-55-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-56-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-57-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-58-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-59-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-60-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-61-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-62-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-63-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-64-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-65-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/4920-66-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/1872-67-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3E3B1CD.exe = "C:\\Windows\\3E3B1CD.exe"	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3E3B1CD.exe = "C:\\Windows\\3E3B1CD.exe"	3E3B1CD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3E3B1CD.exe = "C:\\Windows\\3E3B1CD.exe"	3E3B1CDRZTVVT.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\3E3B1CDRZTVVT.exe	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
File opened for modification	C:\Windows\3E3B1CD.exe	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe

Kills process with taskkill 42 IoCs

evasion

pid	Process
2124	TASKKILL.exe
4912	TASKKILL.exe
4856	TASKKILL.exe
4456	TASKKILL.exe
4064	TASKKILL.exe
2176	TASKKILL.exe
3160	TASKKILL.exe
1452	TASKKILL.exe
1428	TASKKILL.exe
1196	TASKKILL.exe
4964	TASKKILL.exe
2748	TASKKILL.exe
1380	TASKKILL.exe
1440	TASKKILL.exe
3484	TASKKILL.exe
2792	TASKKILL.exe
2760	TASKKILL.exe
2256	TASKKILL.exe
3032	TASKKILL.exe
2436	TASKKILL.exe
2224	TASKKILL.exe
3312	TASKKILL.exe
2120	TASKKILL.exe
3884	TASKKILL.exe
2912	TASKKILL.exe
4788	TASKKILL.exe
2460	TASKKILL.exe
1560	TASKKILL.exe
4528	TASKKILL.exe
4888	TASKKILL.exe
3840	TASKKILL.exe
1468	TASKKILL.exe
4768	TASKKILL.exe
852	TASKKILL.exe
640	TASKKILL.exe
1928	TASKKILL.exe
752	TASKKILL.exe
812	TASKKILL.exe
4884	TASKKILL.exe
5100	TASKKILL.exe
1968	TASKKILL.exe
4352	TASKKILL.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	TASKKILL.exe
Token: SeDebugPrivilege	2436	TASKKILL.exe
Token: SeDebugPrivilege	1452	TASKKILL.exe
Token: SeDebugPrivilege	3312	TASKKILL.exe
Token: SeDebugPrivilege	3484	TASKKILL.exe
Token: SeDebugPrivilege	4788	TASKKILL.exe
Token: SeDebugPrivilege	2460	TASKKILL.exe
Token: SeDebugPrivilege	1928	TASKKILL.exe
Token: SeDebugPrivilege	1440	TASKKILL.exe
Token: SeDebugPrivilege	3160	TASKKILL.exe
Token: SeDebugPrivilege	2224	TASKKILL.exe
Token: SeDebugPrivilege	640	TASKKILL.exe
Token: SeDebugPrivilege	2176	TASKKILL.exe
Token: SeDebugPrivilege	4856	TASKKILL.exe
Token: SeDebugPrivilege	2256	TASKKILL.exe
Token: SeDebugPrivilege	4912	TASKKILL.exe
Token: SeDebugPrivilege	4964	TASKKILL.exe
Token: SeDebugPrivilege	2760	TASKKILL.exe
Token: SeDebugPrivilege	812	TASKKILL.exe
Token: SeDebugPrivilege	1560	TASKKILL.exe
Token: SeDebugPrivilege	4884	TASKKILL.exe
Token: SeDebugPrivilege	752	TASKKILL.exe
Token: SeDebugPrivilege	2792	TASKKILL.exe
Token: SeDebugPrivilege	1380	TASKKILL.exe
Token: SeDebugPrivilege	4456	TASKKILL.exe
Token: SeDebugPrivilege	5100	TASKKILL.exe
Token: SeDebugPrivilege	4768	TASKKILL.exe
Token: SeDebugPrivilege	852	TASKKILL.exe
Token: SeDebugPrivilege	3840	TASKKILL.exe
Token: SeDebugPrivilege	4528	TASKKILL.exe
Token: SeDebugPrivilege	3884	TASKKILL.exe
Token: SeDebugPrivilege	1428	TASKKILL.exe
Token: SeDebugPrivilege	3032	TASKKILL.exe
Token: SeDebugPrivilege	2120	TASKKILL.exe
Token: SeDebugPrivilege	1468	TASKKILL.exe
Token: SeDebugPrivilege	1968	TASKKILL.exe
Token: SeDebugPrivilege	4888	TASKKILL.exe
Token: SeDebugPrivilege	4064	TASKKILL.exe
Token: SeDebugPrivilege	2912	TASKKILL.exe
Token: SeDebugPrivilege	4352	TASKKILL.exe
Token: SeDebugPrivilege	2748	TASKKILL.exe
Token: SeDebugPrivilege	1196	TASKKILL.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
4920	3E3B1CD.exe
1872	3E3B1CDRZTVVT.exe
3704	3E3B1CDRZTVVT.exe
680	3E3B1CD.exe
4616	3E3B1CD.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 2176	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	83
PID 4820 wrote to memory of 2176	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	83
PID 4820 wrote to memory of 2176	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	83
PID 4820 wrote to memory of 2124	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	84
PID 4820 wrote to memory of 2124	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	84
PID 4820 wrote to memory of 2124	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	84
PID 4820 wrote to memory of 1440	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	85
PID 4820 wrote to memory of 1440	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	85
PID 4820 wrote to memory of 1440	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	85
PID 4820 wrote to memory of 1452	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	86
PID 4820 wrote to memory of 1452	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	86
PID 4820 wrote to memory of 1452	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	86
PID 4820 wrote to memory of 2224	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	87
PID 4820 wrote to memory of 2224	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	87
PID 4820 wrote to memory of 2224	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	87
PID 4820 wrote to memory of 1380	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	88
PID 4820 wrote to memory of 1380	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	88
PID 4820 wrote to memory of 1380	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	88
PID 4820 wrote to memory of 640	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	89
PID 4820 wrote to memory of 640	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	89
PID 4820 wrote to memory of 640	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	89
PID 4820 wrote to memory of 4788	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	90
PID 4820 wrote to memory of 4788	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	90
PID 4820 wrote to memory of 4788	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	90
PID 4820 wrote to memory of 3160	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	91
PID 4820 wrote to memory of 3160	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	91
PID 4820 wrote to memory of 3160	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	91
PID 4820 wrote to memory of 2436	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	92
PID 4820 wrote to memory of 2436	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	92
PID 4820 wrote to memory of 2436	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	92
PID 4820 wrote to memory of 3484	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	93
PID 4820 wrote to memory of 3484	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	93
PID 4820 wrote to memory of 3484	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	93
PID 4820 wrote to memory of 3312	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	99
PID 4820 wrote to memory of 3312	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	99
PID 4820 wrote to memory of 3312	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	99
PID 4820 wrote to memory of 2460	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	100
PID 4820 wrote to memory of 2460	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	100
PID 4820 wrote to memory of 2460	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	100
PID 4820 wrote to memory of 1928	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	101
PID 4820 wrote to memory of 1928	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	101
PID 4820 wrote to memory of 1928	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	101
PID 4820 wrote to memory of 4920	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	110
PID 4820 wrote to memory of 4920	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	110
PID 4820 wrote to memory of 4920	4820	0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe	110
PID 4920 wrote to memory of 4912	4920	3E3B1CD.exe	112
PID 4920 wrote to memory of 4912	4920	3E3B1CD.exe	112
PID 4920 wrote to memory of 4912	4920	3E3B1CD.exe	112
PID 4920 wrote to memory of 1560	4920	3E3B1CD.exe	113
PID 4920 wrote to memory of 1560	4920	3E3B1CD.exe	113
PID 4920 wrote to memory of 1560	4920	3E3B1CD.exe	113
PID 4920 wrote to memory of 752	4920	3E3B1CD.exe	114
PID 4920 wrote to memory of 752	4920	3E3B1CD.exe	114
PID 4920 wrote to memory of 752	4920	3E3B1CD.exe	114
PID 4920 wrote to memory of 4964	4920	3E3B1CD.exe	115
PID 4920 wrote to memory of 4964	4920	3E3B1CD.exe	115
PID 4920 wrote to memory of 4964	4920	3E3B1CD.exe	115
PID 4920 wrote to memory of 812	4920	3E3B1CD.exe	116
PID 4920 wrote to memory of 812	4920	3E3B1CD.exe	116
PID 4920 wrote to memory of 812	4920	3E3B1CD.exe	116
PID 4920 wrote to memory of 2792	4920	3E3B1CD.exe	117
PID 4920 wrote to memory of 2792	4920	3E3B1CD.exe	117
PID 4920 wrote to memory of 2792	4920	3E3B1CD.exe	117
PID 4920 wrote to memory of 4856	4920	3E3B1CD.exe	120

C:\Users\Admin\AppData\Local\Temp\0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f19b5aac8ff795273ae813dcb821fd0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM services.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\3E3B1CD.exe
  C:\Windows\3E3B1CD.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM services.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\3E3B1CDRZTVVT.exe
    C:\Windows\3E3B1CDRZTVVT.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1872
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4352
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3032
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2912
  - - C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\3E3B1CDRZTVVT.exe
      C:\Windows\3E3B1CDRZTVVT.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3704
  - - C:\Windows\3E3B1CD.exe
      C:\Windows\3E3B1CD.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:680
- - C:\Windows\3E3B1CD.exe
    C:\Windows\3E3B1CD.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\3E3B1CD.exe

Filesize
20KB

MD5
35af80bf9c906be12dd8d2c294c95311

SHA1
e9ee02a0375efc107e4303838e0ce83310fde245

SHA256
7677d38a6d81e333b36eb8ee5989f9d934a80c498a45fa47bc2d9f1f4aac9a66

SHA512
d1c6fffb5ef3b99ad55886f2b39ca6766438ffc844434885e87683fe1ada21794b776f69ab7350044e83372169dbf86837630da10cf42ee78d9491428fe94aa7

Download Submit
C:\Windows\3E3B1CDRZTVVT.exe

Filesize
24KB

MD5
764577959c663218bf6950446d9dca1c

SHA1
0cec097a142b97b2602d00371f3c52552565fa13

SHA256
b78136a13265c46139b6ec492ee2c035d940f76515f0ef287da2c2a6604574a0

SHA512
9df1ec9e56eb871be3cbdc3f20dfcd0370674c9bdc41330465e5a78b96e0ae2d7db05a44c55313284fed82c85c2d26149ae7e1076c5b0702cacb24692c81331c

Download Submit
memory/680-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-63-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-51-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-49-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-67-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-39-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-41-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-53-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-43-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-61-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-47-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1872-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3704-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3704-19-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4616-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4820-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4820-37-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-52-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-48-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-46-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-44-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-42-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4920-38-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads