0413c9f614a312dd40fb834255e2ae48056903c975249be3bd43b44879c67b79

Analysis

max time kernel
145s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
Size

2.6MB
MD5

5faf6fe31a74438f64465a4c55443620
SHA1

7dffad46208bbcd6a203ea695ef67a3a1126a31b
SHA256

0413c9f614a312dd40fb834255e2ae48056903c975249be3bd43b44879c67b79
SHA512

4f1a51469479d814378f06452ef2ebc8f3f1b5bf2b419fd8dc9c23dba366129cc714e95090bfc927e1c7e68a6cec99b2de3f8a2539ccca6475b33079e177d59b
SSDEEP

24576:ObCj2sObHtqQ4QEfCr7w7yvuqqNq8FroaSaPXRackmrM4Biq7MhLv9GImmVfq4eX:ObCjPKNqQEfsw43qtmVfq48

Score

7^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

pid process

1472 jhdfkldfhndfkjdfnbfklfnf.exe
4240 winmgr119.exe
5064 winmgr119.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1472	jhdfkldfhndfkjdfnbfklfnf.exe
4240	winmgr119.exe
5064	winmgr119.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5084-15-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/5084-16-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/5084-17-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/5084-22-0x0000000000400000-0x000000000048E000-memory.dmp	upx
behavioral2/memory/4292-26-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4292-29-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4292-28-0x0000000000400000-0x0000000000491000-memory.dmp	upx
behavioral2/memory/4292-33-0x0000000000400000-0x0000000000491000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

cvtres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	cvtres.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhdfkldfhndfkjdfnbfklfnf = "C:\\ProgramData\\jhdfkldfhndfkjdfnbfklfnf.exe"	jhdfkldfhndfkjdfnbfklfnf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 icanhazip.com

flow	ioc
6	icanhazip.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe	autoit_exe
C:\ProgramData\winmgr119.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 1472 set thread context of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 4364 set thread context of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 set thread context of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 set thread context of 1376	4364	RegAsm.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3384	schtasks.exe
1568	schtasks.exe
3648	schtasks.exe
1664	schtasks.exe
2476	schtasks.exe
4520	schtasks.exe
2100	schtasks.exe
4612	schtasks.exe
3244	schtasks.exe
1864	schtasks.exe
2852	schtasks.exe
2020	schtasks.exe
2784	schtasks.exe
4448	schtasks.exe
5016	schtasks.exe
1436	schtasks.exe
4900	schtasks.exe
1600	schtasks.exe
2304	schtasks.exe
2936	schtasks.exe
1216	schtasks.exe
3844	schtasks.exe
5024	schtasks.exe
1620	schtasks.exe
2944	schtasks.exe

NTFS ADS 4 IoCs

Processes:

5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exewinmgr119.exewinmgr119.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe:Zone.Identifier:$DATA	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
File created	C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe:Zone.Identifier:$DATA	jhdfkldfhndfkjdfnbfklfnf.exe
File created	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe
File opened for modification	C:\ProgramData\winmgr119.exe:Zone.Identifier:$DATA	winmgr119.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exewinmgr119.exe

pid	process
3656	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
3656	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4240	winmgr119.exe
4240	winmgr119.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
1472	jhdfkldfhndfkjdfnbfklfnf.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe
4364	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.execvtres.execvtres.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	4364	RegAsm.exe
Token: SeDebugPrivilege	5084	cvtres.exe
Token: SeDebugPrivilege	4292	cvtres.exe
Token: SeDebugPrivilege	1376	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

4364 RegAsm.exe

pid	process
4364	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exejhdfkldfhndfkjdfnbfklfnf.exeRegAsm.exe

description	pid	process	target process
PID 3656 wrote to memory of 1472	3656	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 3656 wrote to memory of 1472	3656	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 3656 wrote to memory of 1472	3656	5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe	jhdfkldfhndfkjdfnbfklfnf.exe
PID 1472 wrote to memory of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 1472 wrote to memory of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 1472 wrote to memory of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 1472 wrote to memory of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 1472 wrote to memory of 4364	1472	jhdfkldfhndfkjdfnbfklfnf.exe	RegAsm.exe
PID 1472 wrote to memory of 1600	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 1600	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 1600	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 5084	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 4292	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 4364 wrote to memory of 1376	4364	RegAsm.exe	cvtres.exe
PID 1472 wrote to memory of 3844	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3844	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3844	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3384	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3384	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3384	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2304	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2304	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2304	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2020	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2020	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2020	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4612	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4612	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4612	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2784	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2784	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 2784	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3648	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3648	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3648	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3244	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3244	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 3244	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5024	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5024	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5024	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4448	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4448	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 4448	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5016	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5016	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe
PID 1472 wrote to memory of 5016	1472	jhdfkldfhndfkjdfnbfklfnf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5faf6fe31a74438f64465a4c55443620_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
0
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAA99.tmp"
4⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmpAAF7.tmp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1600

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3844

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3384

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4612

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2100

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4900

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2944

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2936

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr119.exe" /tr "C:\ProgramData\winmgr119.exe" /f
3⤵
- Creates scheduled task(s)
PID:4520

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4240

C:\ProgramData\winmgr119.exe
C:\ProgramData\winmgr119.exe
1⤵
- Executes dropped EXE
- NTFS ADS
PID:5064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhdfkldfhndfkjdfnbfklfnf.exe
Filesize
2.6MB

MD5
3e3a68df8785852f214a8449f74fb1ef

SHA1
2c9ce46dbde7b5ac513aa301cfd4ea53aae4b731

SHA256
3076a48c7d0031c1668c126d942f2118cd554a0c90d1eba591db2f9bc9576488

SHA512
fb651b00e77eea0df6e396b864377c68ff91e17974a3178155c061f71f098446181eb20e77cd399c767359654d8bc554cf481c9a97b5c2613ff2e6155f765b9d

Download Submit
C:\ProgramData\khaxFMfI\2c945db753d341ef9b0f02d75d493749
Filesize
8B

MD5
ecd43d04f2aea3d11b53e69b02484b7c

SHA1
fee832b2fd399614449884c40cf8e5bca953cc30

SHA256
59fdeaced9b5129008b16d99e2862d71befe6eb989328482ce39b3e2e04fbf18

SHA512
416951101a44242e0f827a26a915e2fb8510a7249124fc0778f3d70da203c32630501947fdec22ff4bc043fbc1be198c3b36536902768fb90e600640b9bb2b0a

Download Submit
C:\ProgramData\winmgr119.exe
Filesize
2.6MB

MD5
c2026ee678c9dbb2012ee7e8e97ff766

SHA1
a68abc487117a376238c1e8b33e505dc1fa1d609

SHA256
a27911937a5867c716e83c7751537cbc85e7d32d122bd8ba362a526baa3d9a06

SHA512
96f97b1639122953eb422655d7084d5650a4c22fe907507b3e0dd1b1cbd2346cace01e3250b37d67ed72c0223287f2e71ff1e1c92c10427a53638293e878a0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp
Filesize
1KB

MD5
b0cc2e6f2d8036c9b5fef218736fa9c9

SHA1
64fd3017625979c95ba09d7cbea201010a82f73f

SHA256
997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50

SHA512
a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA99.tmp
Filesize
400B

MD5
de4e5ff058882957cf8a3b5f839a031f

SHA1
0b3d8279120fb5fa27efbd9eee89695aa040fc24

SHA256
ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49

SHA512
a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAF7.tmp
Filesize
391B

MD5
3525ea58bba48993ea0d01b65ea71381

SHA1
1b917678fdd969e5ee5916e5899e7c75a979cf4d

SHA256
681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2

SHA512
5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

Download Submit
memory/1376-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1376-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4292-26-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4292-33-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4292-29-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4292-28-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4364-9-0x0000000073472000-0x0000000073473000-memory.dmp

Filesize
4KB

Download
memory/4364-11-0x0000000073470000-0x0000000073A21000-memory.dmp

Filesize
5.7MB

Download
memory/4364-10-0x0000000073470000-0x0000000073A21000-memory.dmp

Filesize
5.7MB

Download
memory/4364-48-0x0000000073472000-0x0000000073473000-memory.dmp

Filesize
4KB

Download
memory/4364-49-0x0000000073470000-0x0000000073A21000-memory.dmp

Filesize
5.7MB

Download
memory/4364-8-0x00000000009A0000-0x0000000000A6A000-memory.dmp

Filesize
808KB

Download
memory/5084-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5084-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5084-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5084-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download