Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 22:09
Behavioral task
behavioral1
Sample
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe
-
Size
20KB
-
MD5
1d2047e2b82e3a6362c9b6b72f405c30
-
SHA1
78d2e802568f37757c731443a11aea1ca17fc9e1
-
SHA256
0e90a3fb1722c7dbc684ff259cb2657a84d06c4bc21bce02c372fab639aa6c1e
-
SHA512
e2a9845c16ff1e49962b86ea580ea79bbd141be0e441c62ead7d8c893f0ed323fa91170bc0990e5b7a30549fb8c4ffda82f9a96583ea8a76a03cb2672e421bda
-
SSDEEP
384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh59mUhlthLzK:g5BOFKksO1mE9B77777J77c77c77c71W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1D6600A.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\1D6600A.exe\"" 1D6600ASSQZSV.exe -
Executes dropped EXE 5 IoCs
pid Process 2200 1D6600A.exe 1320 1D6600ASSQZSV.exe 1968 1D6600ASSQZSV.exe 284 1D6600A.exe 1704 1D6600A.exe -
resource yara_rule behavioral1/memory/2844-0-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x0032000000015d09-3.dat upx behavioral1/memory/2200-14-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/files/0x0007000000015d97-18.dat upx behavioral1/memory/1968-26-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1968-30-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/284-35-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1704-43-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2844-41-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-44-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-45-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-46-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-49-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-50-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-51-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-52-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-53-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-56-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-58-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-59-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-60-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-61-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-62-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-63-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-64-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-65-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-68-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-69-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-71-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-72-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/1320-73-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral1/memory/2200-74-0x0000000000400000-0x000000000040F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1D6600A.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1D6600A.exe = "C:\\Windows\\1D6600A.exe" 1D6600ASSQZSV.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\1D6600ASSQZSV.exe 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe File opened for modification C:\Windows\1D6600A.exe 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe -
Kills process with taskkill 42 IoCs
pid Process 2336 TASKKILL.exe 2728 TASKKILL.exe 2852 TASKKILL.exe 2956 TASKKILL.exe 2864 TASKKILL.exe 2316 TASKKILL.exe 2868 TASKKILL.exe 1984 TASKKILL.exe 2100 TASKKILL.exe 1920 TASKKILL.exe 2792 TASKKILL.exe 2820 TASKKILL.exe 2104 TASKKILL.exe 2776 TASKKILL.exe 2088 TASKKILL.exe 2092 TASKKILL.exe 2028 TASKKILL.exe 908 TASKKILL.exe 2580 TASKKILL.exe 3044 TASKKILL.exe 1152 TASKKILL.exe 1804 TASKKILL.exe 2880 TASKKILL.exe 2780 TASKKILL.exe 564 TASKKILL.exe 3048 TASKKILL.exe 1988 TASKKILL.exe 2696 TASKKILL.exe 2748 TASKKILL.exe 480 TASKKILL.exe 532 TASKKILL.exe 1040 TASKKILL.exe 772 TASKKILL.exe 2676 TASKKILL.exe 2548 TASKKILL.exe 1608 TASKKILL.exe 2944 TASKKILL.exe 1900 TASKKILL.exe 2188 TASKKILL.exe 2684 TASKKILL.exe 2784 TASKKILL.exe 1648 TASKKILL.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2188 TASKKILL.exe Token: SeDebugPrivilege 1988 TASKKILL.exe Token: SeDebugPrivilege 2676 TASKKILL.exe Token: SeDebugPrivilege 2580 TASKKILL.exe Token: SeDebugPrivilege 1920 TASKKILL.exe Token: SeDebugPrivilege 2100 TASKKILL.exe Token: SeDebugPrivilege 2684 TASKKILL.exe Token: SeDebugPrivilege 2728 TASKKILL.exe Token: SeDebugPrivilege 2696 TASKKILL.exe Token: SeDebugPrivilege 3044 TASKKILL.exe Token: SeDebugPrivilege 2784 TASKKILL.exe Token: SeDebugPrivilege 2868 TASKKILL.exe Token: SeDebugPrivilege 1984 TASKKILL.exe Token: SeDebugPrivilege 2792 TASKKILL.exe Token: SeDebugPrivilege 2776 TASKKILL.exe Token: SeDebugPrivilege 2956 TASKKILL.exe Token: SeDebugPrivilege 1608 TASKKILL.exe Token: SeDebugPrivilege 1804 TASKKILL.exe Token: SeDebugPrivilege 2748 TASKKILL.exe Token: SeDebugPrivilege 480 TASKKILL.exe Token: SeDebugPrivilege 2820 TASKKILL.exe Token: SeDebugPrivilege 532 TASKKILL.exe Token: SeDebugPrivilege 2852 TASKKILL.exe Token: SeDebugPrivilege 2548 TASKKILL.exe Token: SeDebugPrivilege 1152 TASKKILL.exe Token: SeDebugPrivilege 2780 TASKKILL.exe Token: SeDebugPrivilege 1648 TASKKILL.exe Token: SeDebugPrivilege 908 TASKKILL.exe Token: SeDebugPrivilege 2944 TASKKILL.exe Token: SeDebugPrivilege 1900 TASKKILL.exe Token: SeDebugPrivilege 2104 TASKKILL.exe Token: SeDebugPrivilege 2316 TASKKILL.exe Token: SeDebugPrivilege 2880 TASKKILL.exe Token: SeDebugPrivilege 772 TASKKILL.exe Token: SeDebugPrivilege 2088 TASKKILL.exe Token: SeDebugPrivilege 1040 TASKKILL.exe Token: SeDebugPrivilege 2336 TASKKILL.exe Token: SeDebugPrivilege 564 TASKKILL.exe Token: SeDebugPrivilege 2092 TASKKILL.exe Token: SeDebugPrivilege 2864 TASKKILL.exe Token: SeDebugPrivilege 2028 TASKKILL.exe Token: SeDebugPrivilege 3048 TASKKILL.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 2200 1D6600A.exe 1320 1D6600ASSQZSV.exe 1968 1D6600ASSQZSV.exe 284 1D6600A.exe 1704 1D6600A.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2100 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 28 PID 2844 wrote to memory of 2100 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 28 PID 2844 wrote to memory of 2100 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 28 PID 2844 wrote to memory of 2100 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 28 PID 2844 wrote to memory of 1988 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 29 PID 2844 wrote to memory of 1988 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 29 PID 2844 wrote to memory of 1988 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 29 PID 2844 wrote to memory of 1988 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 29 PID 2844 wrote to memory of 2188 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 32 PID 2844 wrote to memory of 2188 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 32 PID 2844 wrote to memory of 2188 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 32 PID 2844 wrote to memory of 2188 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 32 PID 2844 wrote to memory of 2676 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 33 PID 2844 wrote to memory of 2676 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 33 PID 2844 wrote to memory of 2676 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 33 PID 2844 wrote to memory of 2676 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 33 PID 2844 wrote to memory of 2580 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 35 PID 2844 wrote to memory of 2580 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 35 PID 2844 wrote to memory of 2580 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 35 PID 2844 wrote to memory of 2580 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 35 PID 2844 wrote to memory of 1920 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 36 PID 2844 wrote to memory of 1920 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 36 PID 2844 wrote to memory of 1920 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 36 PID 2844 wrote to memory of 1920 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 36 PID 2844 wrote to memory of 3044 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 37 PID 2844 wrote to memory of 3044 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 37 PID 2844 wrote to memory of 3044 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 37 PID 2844 wrote to memory of 3044 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 37 PID 2844 wrote to memory of 2684 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 40 PID 2844 wrote to memory of 2684 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 40 PID 2844 wrote to memory of 2684 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 40 PID 2844 wrote to memory of 2684 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 40 PID 2844 wrote to memory of 2696 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 41 PID 2844 wrote to memory of 2696 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 41 PID 2844 wrote to memory of 2696 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 41 PID 2844 wrote to memory of 2696 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 41 PID 2844 wrote to memory of 2868 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 43 PID 2844 wrote to memory of 2868 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 43 PID 2844 wrote to memory of 2868 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 43 PID 2844 wrote to memory of 2868 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 43 PID 2844 wrote to memory of 2728 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 46 PID 2844 wrote to memory of 2728 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 46 PID 2844 wrote to memory of 2728 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 46 PID 2844 wrote to memory of 2728 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 46 PID 2844 wrote to memory of 1152 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 47 PID 2844 wrote to memory of 1152 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 47 PID 2844 wrote to memory of 1152 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 47 PID 2844 wrote to memory of 1152 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 47 PID 2844 wrote to memory of 2748 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 48 PID 2844 wrote to memory of 2748 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 48 PID 2844 wrote to memory of 2748 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 48 PID 2844 wrote to memory of 2748 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 48 PID 2844 wrote to memory of 2852 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 49 PID 2844 wrote to memory of 2852 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 49 PID 2844 wrote to memory of 2852 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 49 PID 2844 wrote to memory of 2852 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 49 PID 2844 wrote to memory of 2200 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 54 PID 2844 wrote to memory of 2200 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 54 PID 2844 wrote to memory of 2200 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 54 PID 2844 wrote to memory of 2200 2844 1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe 54 PID 2200 wrote to memory of 2104 2200 1D6600A.exe 56 PID 2200 wrote to memory of 2104 2200 1D6600A.exe 56 PID 2200 wrote to memory of 2104 2200 1D6600A.exe 56 PID 2200 wrote to memory of 2104 2200 1D6600A.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d2047e2b82e3a6362c9b6b72f405c30_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:480
-
-
C:\Windows\1D6600ASSQZSV.exeC:\Windows\1D6600ASSQZSV.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM services.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM lsass.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM csrss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM smss.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /S COMPUTERNAME /F /IM svchost.exe /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040
-
-
C:\Windows\1D6600ASSQZSV.exeC:\Windows\1D6600ASSQZSV.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:284
-
-
-
C:\Windows\1D6600A.exeC:\Windows\1D6600A.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD50727f639efb9f92749d6aef08ae2d902
SHA143097640d04a07228c1d52d376a122fa185d65f9
SHA256c2ccbae0a961a025f103f59768dde94149d3c5d8f80ae4dbe0b2d1fe3c8fa955
SHA512547ebc7674d7a4ce0751a5d6f6ece4878873a5e8fcf90ef82ec309216bca0e90024fecd0d29c19ef37f0602abba57253534e152270416dacd556b8e2cd09c610
-
Filesize
16KB
MD5dd8458aedbbd4a0ef1cc0030fe232d87
SHA1425ce52efeed2db6d81d39b7c56555597578ab48
SHA25611dce98da4350436be3a2bd90d320839d418c832883dc81e9f421ba0a9c4919b
SHA512acf84e6a83eaefeea5beda5c000b878e662052964f1a2ec1e755cc3e4cef3b1db4f46c58b3e5939e5428ab9aa8363e8bea1ffdd1fd7c9d6806419f61faf29f72