9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe
Size

332KB
MD5

1cff415f77f8579cfcd5258982fdbab0
SHA1

b6ad7439ede14e8b6b16b5065e595c206c36f643
SHA256

9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa
SHA512

e76756362f846d38961c69c41410e6242c78c06ddab473a9d50c27e362da8b7b3e2eb397b83ada893df808572b5ba335dafa1b84a9f2487090027b9f2667339e
SSDEEP

6144:za3lK7BXzHgjDRT4wVuK11sFEwBpkLSm+luSk6XqLb+KV/YF+75ui5uc0nCOuO:zKUSjD/uK11g9kF/6XqLb+KdYO5ui5uV

Score

8^/10

collection persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\KeenSense.sys	qservice.exe
File created	C:\Windows\SysWOW64\drivers\ksdevice.sys	qservice.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0009000000015c83-28.dat	acprotect

Deletes itself 1 IoCs

pid	Process
1140	cmd.exe

Executes dropped EXE 18 IoCs

pid	Process
2392	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics..exe
2116	qservice.exe
1484	agnt_fps.exe
2264	agnt_mps.exe
2748	agnt_msn.exe
1916	agnt_pnc.exe
2060	agnt_fps.exe
1688	agnt_mps.exe
768	agnt_msn.exe
980	agnt_pnc.exe
1608	agnt_fps.exe
1940	agnt_mps.exe
2000	agnt_msn.exe
2492	agnt_pnc.exe
588	agnt_fps.exe
1468	agnt_mps.exe
2180	agnt_msn.exe
2556	agnt_pnc.exe

Loads dropped DLL 35 IoCs

pid	Process
2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe
2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2932-0-0x0000000013140000-0x0000000013150000-memory.dmp	upx
behavioral1/files/0x002c000000015c2f-15.dat	upx
behavioral1/memory/2116-20-0x0000000013140000-0x0000000013150000-memory.dmp	upx
behavioral1/memory/2116-26-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/files/0x0009000000015c83-28.dat	upx
behavioral1/files/0x0006000000016c21-105.dat	upx
behavioral1/memory/2116-106-0x00000000002F0000-0x00000000002FF000-memory.dmp	upx
behavioral1/memory/1484-113-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/memory/2932-114-0x0000000013140000-0x0000000013150000-memory.dmp	upx
behavioral1/memory/2116-115-0x0000000013140000-0x0000000013150000-memory.dmp	upx
behavioral1/memory/2116-116-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/1484-118-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/files/0x0007000000016c21-121.dat	upx
behavioral1/memory/2116-122-0x00000000002F0000-0x0000000000304000-memory.dmp	upx
behavioral1/memory/2264-132-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/2264-133-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/files/0x0008000000016c21-136.dat	upx
behavioral1/memory/2116-138-0x00000000002F0000-0x0000000000307000-memory.dmp	upx
behavioral1/memory/2748-144-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2748-145-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x0009000000016c21-149.dat	upx
behavioral1/memory/2116-156-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/1916-159-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2116-158-0x0000000002560000-0x0000000002589000-memory.dmp	upx
behavioral1/memory/1916-161-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2116-164-0x00000000002F0000-0x00000000002FF000-memory.dmp	upx
behavioral1/memory/2116-167-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/2116-169-0x00000000002F0000-0x0000000000304000-memory.dmp	upx
behavioral1/memory/2932-181-0x0000000013140000-0x0000000013150000-memory.dmp	upx
behavioral1/memory/2116-187-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/2116-197-0x0000000002660000-0x000000000266F000-memory.dmp	upx
behavioral1/memory/2060-198-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/memory/1688-209-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/1688-210-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/768-221-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/980-234-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2116-238-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/2116-249-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/1608-261-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/memory/1608-262-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/memory/1940-275-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/1940-273-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/2000-286-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2000-287-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2116-293-0x00000000025D0000-0x00000000025F9000-memory.dmp	upx
behavioral1/memory/2492-301-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2492-303-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2116-307-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/2116-309-0x00000000025D0000-0x00000000025DF000-memory.dmp	upx
behavioral1/memory/2116-310-0x00000000025D0000-0x00000000025E4000-memory.dmp	upx
behavioral1/memory/2116-311-0x00000000025D0000-0x00000000025E7000-memory.dmp	upx
behavioral1/memory/2116-317-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/588-328-0x0000000000400000-0x000000000040E400-memory.dmp	upx
behavioral1/memory/1468-339-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/1468-340-0x0000000000400000-0x0000000000413400-memory.dmp	upx
behavioral1/memory/2180-352-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2180-351-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2556-364-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2556-367-0x0000000000400000-0x0000000000428200-memory.dmp	upx
behavioral1/memory/2116-371-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx
behavioral1/memory/2116-378-0x0000000001FB0000-0x000000000203A000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 4 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	agnt_mps.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	agnt_mps.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	agnt_mps.exe
Key opened	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	agnt_mps.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qservices = "C:\\Windows\\qservice.exe"	qservice.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	qservice.exe
File opened (read-only)	\??\J:	qservice.exe
File opened (read-only)	\??\P:	qservice.exe
File opened (read-only)	\??\Y:	qservice.exe
File opened (read-only)	\??\L:	qservice.exe
File opened (read-only)	\??\M:	qservice.exe
File opened (read-only)	\??\Q:	qservice.exe
File opened (read-only)	\??\U:	qservice.exe
File opened (read-only)	\??\B:	qservice.exe
File opened (read-only)	\??\H:	qservice.exe
File opened (read-only)	\??\I:	qservice.exe
File opened (read-only)	\??\K:	qservice.exe
File opened (read-only)	\??\V:	qservice.exe
File opened (read-only)	\??\W:	qservice.exe
File opened (read-only)	\??\A:	qservice.exe
File opened (read-only)	\??\N:	qservice.exe
File opened (read-only)	\??\T:	qservice.exe
File opened (read-only)	\??\X:	qservice.exe
File opened (read-only)	\??\Z:	qservice.exe
File opened (read-only)	\??\E:	qservice.exe
File opened (read-only)	\??\O:	qservice.exe
File opened (read-only)	\??\R:	qservice.exe
File opened (read-only)	\??\S:	qservice.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\agnt_mps.exe	qservice.exe
File created	C:\Windows\SysWOW64\agnt_mps.dat	agnt_mps.exe
File created	C:\Windows\SysWOW64\agnt_fps.dat	agnt_fps.exe
File created	C:\Windows\SysWOW64\agnt_msn.dat	agnt_msn.exe
File created	C:\Windows\SysWOW64\_pnc.dat	agnt_pnc.exe
File created	C:\Windows\SysWOW64\agnt_fps.dat	agnt_fps.exe
File created	C:\Windows\SysWOW64\agnt_pnc.exe	qservice.exe
File created	C:\Windows\SysWOW64\agnt_msn.dat	agnt_msn.exe
File created	C:\Windows\SysWOW64\agnt_fps.dat	agnt_fps.exe
File created	C:\Windows\SysWOW64\agnt_mps.dat	agnt_mps.exe
File created	C:\Windows\SysWOW64\HookApi.dll	qservice.exe
File created	C:\Windows\SysWOW64\agnt_msn.dat	agnt_msn.exe
File created	C:\Windows\SysWOW64\agnt_fps.dat	agnt_fps.exe
File created	C:\Windows\SysWOW64\agnt_msn.dat	agnt_msn.exe
File created	C:\Windows\SysWOW64\_pnc.dat	agnt_pnc.exe
File created	C:\Windows\SysWOW64\agnt_mps.dat	agnt_mps.exe
File created	C:\Windows\SysWOW64\agnt_fps.exe	qservice.exe
File created	C:\Windows\SysWOW64\agnt_msn.exe	qservice.exe
File created	C:\Windows\SysWOW64\_pnc.dat	agnt_pnc.exe
File created	C:\Windows\SysWOW64\agnt_mps.dat	agnt_mps.exe
File created	C:\Windows\SysWOW64\_pnc.dat	agnt_pnc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\services.dll	qservice.exe
File opened for modification	C:\Windows\services.dll	qservice.exe
File created	C:\Windows\kurlmon.dll	qservice.exe
File created	C:\Windows\qservice.exe	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe
File opened for modification	C:\Windows\qservice.exe	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	qservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	qservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	qservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qservice.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	qservice.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe
2116	qservice.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2392	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics..exe
2116	qservice.exe
2116	qservice.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2392	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2392	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2392	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2392	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	28
PID 2932 wrote to memory of 2116	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2116	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2116	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	29
PID 2932 wrote to memory of 2116	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	29
PID 2116 wrote to memory of 2668	2116	qservice.exe	30
PID 2116 wrote to memory of 2668	2116	qservice.exe	30
PID 2116 wrote to memory of 2668	2116	qservice.exe	30
PID 2116 wrote to memory of 2668	2116	qservice.exe	30
PID 2116 wrote to memory of 2668	2116	qservice.exe	30
PID 2116 wrote to memory of 1484	2116	qservice.exe	31
PID 2116 wrote to memory of 1484	2116	qservice.exe	31
PID 2116 wrote to memory of 1484	2116	qservice.exe	31
PID 2116 wrote to memory of 1484	2116	qservice.exe	31
PID 2116 wrote to memory of 2264	2116	qservice.exe	32
PID 2116 wrote to memory of 2264	2116	qservice.exe	32
PID 2116 wrote to memory of 2264	2116	qservice.exe	32
PID 2116 wrote to memory of 2264	2116	qservice.exe	32
PID 2116 wrote to memory of 2748	2116	qservice.exe	33
PID 2116 wrote to memory of 2748	2116	qservice.exe	33
PID 2116 wrote to memory of 2748	2116	qservice.exe	33
PID 2116 wrote to memory of 2748	2116	qservice.exe	33
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2116 wrote to memory of 1916	2116	qservice.exe	34
PID 2932 wrote to memory of 1140	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	35
PID 2932 wrote to memory of 1140	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	35
PID 2932 wrote to memory of 1140	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	35
PID 2932 wrote to memory of 1140	2932	9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe	35
PID 2116 wrote to memory of 2060	2116	qservice.exe	39
PID 2116 wrote to memory of 2060	2116	qservice.exe	39
PID 2116 wrote to memory of 2060	2116	qservice.exe	39
PID 2116 wrote to memory of 2060	2116	qservice.exe	39
PID 2116 wrote to memory of 1688	2116	qservice.exe	40
PID 2116 wrote to memory of 1688	2116	qservice.exe	40
PID 2116 wrote to memory of 1688	2116	qservice.exe	40
PID 2116 wrote to memory of 1688	2116	qservice.exe	40
PID 2116 wrote to memory of 768	2116	qservice.exe	41
PID 2116 wrote to memory of 768	2116	qservice.exe	41
PID 2116 wrote to memory of 768	2116	qservice.exe	41
PID 2116 wrote to memory of 768	2116	qservice.exe	41
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42
PID 2116 wrote to memory of 980	2116	qservice.exe	42

C:\Users\Admin\AppData\Local\Temp\9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics..exe
  "C:\Users\Admin\AppData\Local\Temp\9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2392
- C:\Windows\qservice.exe
  C:\Windows\qservice.exe /start
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\agnt_fps.exe
    C:\Windows\system32\agnt_fps.exe /STEXT agnt_fps.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1484
- - C:\Windows\SysWOW64\agnt_mps.exe
    C:\Windows\system32\agnt_mps.exe /STEXT agnt_mps.dat
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Drops file in System32 directory
    PID:2264
- - C:\Windows\SysWOW64\agnt_msn.exe
    C:\Windows\system32\agnt_msn.exe /STEXT agnt_msn.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2748
- - C:\Windows\SysWOW64\agnt_pnc.exe
    C:\Windows\system32\agnt_pnc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1916
- - C:\Windows\SysWOW64\agnt_fps.exe
    C:\Windows\system32\agnt_fps.exe /STEXT agnt_fps.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2060
- - C:\Windows\SysWOW64\agnt_mps.exe
    C:\Windows\system32\agnt_mps.exe /STEXT agnt_mps.dat
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Drops file in System32 directory
    PID:1688
- - C:\Windows\SysWOW64\agnt_msn.exe
    C:\Windows\system32\agnt_msn.exe /STEXT agnt_msn.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:768
- - C:\Windows\SysWOW64\agnt_pnc.exe
    C:\Windows\system32\agnt_pnc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:980
- - C:\Windows\SysWOW64\agnt_fps.exe
    C:\Windows\system32\agnt_fps.exe /STEXT agnt_fps.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1608
- - C:\Windows\SysWOW64\agnt_mps.exe
    C:\Windows\system32\agnt_mps.exe /STEXT agnt_mps.dat
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Drops file in System32 directory
    PID:1940
- - C:\Windows\SysWOW64\agnt_msn.exe
    C:\Windows\system32\agnt_msn.exe /STEXT agnt_msn.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2000
- - C:\Windows\SysWOW64\agnt_pnc.exe
    C:\Windows\system32\agnt_pnc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2492
- - C:\Windows\SysWOW64\agnt_fps.exe
    C:\Windows\system32\agnt_fps.exe /STEXT agnt_fps.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:588
- - C:\Windows\SysWOW64\agnt_mps.exe
    C:\Windows\system32\agnt_mps.exe /STEXT agnt_mps.dat
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    - Drops file in System32 directory
    PID:1468
- - C:\Windows\SysWOW64\agnt_msn.exe
    C:\Windows\system32\agnt_msn.exe /STEXT agnt_msn.dat
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2180
- - C:\Windows\SysWOW64\agnt_pnc.exe
    C:\Windows\system32\agnt_pnc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\9C85F6~1.EXE.bat
  2⤵
  - Deletes itself
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9C85F6~1.EXE.bat

Filesize
133B

MD5
828fb76499a8055bef296b5a67c09367

SHA1
f4f2d7748f716595f5a5330929e930ab0ab5168e

SHA256
d3f0682225e7fb6ddc38edbeb1ce78bb874a5642a3496759813f3d115e9c93a2

SHA512
43880a6f775608c99f1bcc9f8b05f1b7848d69572ac3e0ce64de66a357d28fc40114077ff192730453f113d2b91f415bc450d3a863d3658abfffebeb85a65f2b

Download Submit
C:\Windows\SysWOW64\_pnc.dat

Filesize
214B

MD5
2161a9c91deba7632f4be7326c5e4408

SHA1
368ba47f0c58df341138763564de25a71c437d04

SHA256
0b8cc9b79e271ddb4ef47ca7fdb0692fa5d5d5f0719c8a16081c5c45b21af648

SHA512
4dba295418bc3b59e0527cf82e92eea39e78d048d7edf8348a2dac1e6516ab21f064ec7b367c6c7475991eb78c8deb5d6d8234a31b327bcf252942f295b1b791

Download Submit
C:\Windows\qservice.exe

Filesize
332KB

MD5
1cff415f77f8579cfcd5258982fdbab0

SHA1
b6ad7439ede14e8b6b16b5065e595c206c36f643

SHA256
9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa

SHA512
e76756362f846d38961c69c41410e6242c78c06ddab473a9d50c27e362da8b7b3e2eb397b83ada893df808572b5ba335dafa1b84a9f2487090027b9f2667339e

Download Submit
C:\Windows\services.dll

Filesize
307KB

MD5
5d7d517f59b796fe32d5bab21c46252d

SHA1
b875ad60271d646e2aa04810606fcb2d88b8370a

SHA256
1c6a4a3c92df9f97562886f7d09360a37b7c7751382ae13a837dad65d57b6a83

SHA512
c67ddc6f57bd42ab24ef4cd5d8b63e871b724fa19b5783c780a4a97fed41b7b0139b5a63fc0696ff90cdc6d308db90a6bcdc0c26c47b9dd9aab8e996cb976b30

Download Submit
\Users\Admin\AppData\Local\Temp\9c85f61cdefce40abf5727e4c64b72bbffabf359741287327702fd55f8fb51aa_NeikiAnalytics..exe

Filesize
92KB

MD5
7380cc0ed8f915b6de61667a56b7debd

SHA1
336fc052394e012adb1eb4b2de75e31f53b873e3

SHA256
572501560dcc665a4a98c508bb4d7e203c710c054fe57f112bfbedf347b696b0

SHA512
6ba72b2ef805e0580a028a952b4a9de6bed03d92d9ef5ff152621437a6c7637b817e4f47607336265ce4e0307856ffe5800e20e07616a27b39bac612fc81fd90

Download Submit
\Windows\SysWOW64\HookApi.dll

Filesize
6KB

MD5
80b41f0fba6e91608de1764d275a5d58

SHA1
dceb77a9d6fd0a4bd67162e398b060b4085fb33d

SHA256
c9704530cc7446b55a822e1d90139f173b7e9bcd91a1c459374760fe1f1944dd

SHA512
6fb36edec90e879949b0d50a7d77124228dbfb1d3c9ab5d984dbcf32c6cba6d0aa9971afe42978f39f59c23bcb71edd91651ffb89d3713d3da04a3cb98a6839f

Download Submit
\Windows\SysWOW64\agnt_fps.exe

Filesize
16KB

MD5
980e435d497fbc8678cc917da675d5b0

SHA1
854abcd5070e9a56feb7aedeb4b6db266ff3359e

SHA256
101feaaad8ed1c706b6209152f7e1a1b205aa8216670c49bc93b7e3d888b56a8

SHA512
fe53aaf4ffc85db848ef73546b8be5b8d45ce91f5aee87d9f50af0cd53b1bc7fffb8cc25330337d1a05e083f05bf2a54782715affa36554c2c671f3f95ef49a7

Download Submit
\Windows\SysWOW64\agnt_mps.exe

Filesize
26KB

MD5
5be859093eacebe509ab73bceed38e8b

SHA1
4bed79e9986f73ced28aaa6c25488b5810388231

SHA256
faa777fa327ab69f44ba59969d30746705e9ef5c68b30b6f1de3a5ec071078c8

SHA512
9b17ceba4528553bd9e2323744aa37f19ac90e5aa706f0254da63b29582f5d56a1546f0bb684c468224e21c12a4f337f03d195dc7aff28d7e64ecb91645c277a

Download Submit
\Windows\SysWOW64\agnt_msn.exe

Filesize
36KB

MD5
046784d4faf97793871baaf889894dfb

SHA1
ecd8c38368258da88383876f55340d350c06e3a1

SHA256
2f5342c32db36f746d361709c06da475f71484a34a8c93e1ba47e8daf054b46a

SHA512
eac78ea32fd20311b775bddceec0f47c6ab7cd324cb05804297d4938605d8ea7f77ec404bbbfcd9ba834cfa7fc410ec85236185468fc4bf626f6b5550e7c8b66

Download Submit
\Windows\SysWOW64\agnt_pnc.exe

Filesize
7KB

MD5
7cd7c5b7fddd894c71269bda50cab264

SHA1
427268377e930226fc272adda5b090c0930208a3

SHA256
326c5cd185e416deb37dc1065092ee285fb0657a12a02c67ab0f0de40c8bfa36

SHA512
daff1c943ea533607f5d065442c15c7f8c2887b6cddd6653a4ee764ff929c319580771781bf16d7c54fa39eb000e9346036c1b8ca9d6dad0822a93385a0e540c

Download Submit
memory/588-328-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/768-221-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/980-234-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/1468-340-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/1468-339-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/1484-113-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/1484-118-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/1608-262-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/1608-261-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/1688-209-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/1688-210-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/1916-161-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/1916-159-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/1940-275-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/1940-273-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/2000-287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2000-286-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2060-198-0x0000000000400000-0x000000000040E400-memory.dmp

Filesize
57KB

Download
memory/2116-167-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-371-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-315-0x00000000025D0000-0x00000000025F9000-memory.dmp

Filesize
164KB

Download
memory/2116-156-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-311-0x00000000025D0000-0x00000000025E7000-memory.dmp

Filesize
92KB

Download
memory/2116-158-0x0000000002560000-0x0000000002589000-memory.dmp

Filesize
164KB

Download
memory/2116-157-0x0000000002560000-0x0000000002589000-memory.dmp

Filesize
164KB

Download
memory/2116-131-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2116-350-0x00000000025D0000-0x00000000025E7000-memory.dmp

Filesize
92KB

Download
memory/2116-164-0x00000000002F0000-0x00000000002FF000-memory.dmp

Filesize
60KB

Download
memory/2116-317-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-169-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2116-362-0x00000000025D0000-0x00000000025F9000-memory.dmp

Filesize
164KB

Download
memory/2116-338-0x00000000025D0000-0x00000000025E4000-memory.dmp

Filesize
80KB

Download
memory/2116-183-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/2116-184-0x0000000002560000-0x0000000002589000-memory.dmp

Filesize
164KB

Download
memory/2116-185-0x0000000002560000-0x0000000002589000-memory.dmp

Filesize
164KB

Download
memory/2116-187-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-197-0x0000000002660000-0x000000000266F000-memory.dmp

Filesize
60KB

Download
memory/2116-122-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2116-208-0x0000000002730000-0x0000000002744000-memory.dmp

Filesize
80KB

Download
memory/2116-116-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-117-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2116-217-0x0000000002730000-0x0000000002747000-memory.dmp

Filesize
92KB

Download
memory/2116-115-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/2116-138-0x00000000002F0000-0x0000000000307000-memory.dmp

Filesize
92KB

Download
memory/2116-238-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-243-0x0000000002730000-0x0000000002747000-memory.dmp

Filesize
92KB

Download
memory/2116-247-0x0000000002900000-0x0000000002929000-memory.dmp

Filesize
164KB

Download
memory/2116-249-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-258-0x00000000025D0000-0x00000000025DF000-memory.dmp

Filesize
60KB

Download
memory/2116-106-0x00000000002F0000-0x00000000002FF000-memory.dmp

Filesize
60KB

Download
memory/2116-259-0x00000000025D0000-0x00000000025DF000-memory.dmp

Filesize
60KB

Download
memory/2116-102-0x00000000002E0000-0x00000000002E5000-memory.dmp

Filesize
20KB

Download
memory/2116-272-0x00000000025D0000-0x00000000025E4000-memory.dmp

Filesize
80KB

Download
memory/2116-103-0x00000000002E1000-0x00000000002E2000-memory.dmp

Filesize
4KB

Download
memory/2116-26-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-376-0x00000000025D0000-0x00000000025F9000-memory.dmp

Filesize
164KB

Download
memory/2116-285-0x00000000025D0000-0x00000000025E7000-memory.dmp

Filesize
92KB

Download
memory/2116-378-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-293-0x00000000025D0000-0x00000000025F9000-memory.dmp

Filesize
164KB

Download
memory/2116-20-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/2116-327-0x00000000025D0000-0x00000000025DF000-memory.dmp

Filesize
60KB

Download
memory/2116-299-0x00000000025D0000-0x00000000025F9000-memory.dmp

Filesize
164KB

Download
memory/2116-307-0x0000000001FB0000-0x000000000203A000-memory.dmp

Filesize
552KB

Download
memory/2116-309-0x00000000025D0000-0x00000000025DF000-memory.dmp

Filesize
60KB

Download
memory/2116-310-0x00000000025D0000-0x00000000025E4000-memory.dmp

Filesize
80KB

Download
memory/2180-351-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2180-352-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2264-132-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/2264-133-0x0000000000400000-0x0000000000413400-memory.dmp

Filesize
77KB

Download
memory/2492-301-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/2492-303-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/2556-367-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/2556-364-0x0000000000400000-0x0000000000428200-memory.dmp

Filesize
160KB

Download
memory/2748-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2748-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2932-129-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/2932-130-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2932-181-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/2932-114-0x0000000013140000-0x0000000013150000-memory.dmp

Filesize
64KB

Download
memory/2932-18-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2932-19-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download