dcrat | cc2615b9b58bae3bec1e43a267354701673e2e0cd58d953ca1a7390c4a31979e

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 02:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Size

3.2MB
MD5

479209f0c1c29081543bd26f368dab20
SHA1

d798dce47d6bc0b3adf95dbe336fbb96170c391e
SHA256

cc2615b9b58bae3bec1e43a267354701673e2e0cd58d953ca1a7390c4a31979e
SHA512

72c45e595f4c9fc707d83e1f03f7590ee2e2f00409b5e4dec828ca2e567e27e0819af00b6126fc9e12920b3f587a9f5c7ab5f9ee7c0b6f3d5f52b8c7718e841c
SSDEEP

49152:HC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:HC0Fl8v/qXYrv5tG9uKJGAWl5N

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3248	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3248	schtasks.exe	84

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4908-1-0x0000000000D80000-0x00000000010BC000-memory.dmp	dcrat
behavioral2/files/0x00070000000233bc-44.dat	dcrat
behavioral2/files/0x000a0000000233e0-87.dat	dcrat
behavioral2/files/0x000a0000000233b1-98.dat	dcrat
behavioral2/files/0x00090000000233b5-109.dat	dcrat
behavioral2/files/0x00090000000233ba-120.dat	dcrat
behavioral2/files/0x00080000000233c6-164.dat	dcrat
behavioral2/files/0x000c0000000233c8-199.dat	dcrat
behavioral2/memory/2928-373-0x0000000000210000-0x000000000054C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
1972	powershell.exe
1084	powershell.exe
552	powershell.exe
2160	powershell.exe
1952	powershell.exe
4840	powershell.exe
3688	powershell.exe
3932	powershell.exe
2816	powershell.exe
3032	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 3 IoCs

pid	Process
2928	sihost.exe
2808	sihost.exe
3120	sihost.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\sihost.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8AA9.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX98FC.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\RuntimeBroker.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX8AA8.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX997A.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\sihost.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX96E7.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX96E8.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Program Files\WindowsPowerShell\66fc9ff0ee96c2	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CbsTemp\Idle.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\e1ef82546f0b02	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Windows\CbsTemp\Idle.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Windows\CbsTemp\6ccacd8608530f	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\RCX8584.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Windows\CbsTemp\RCX9230.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File created	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\RCX8602.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
File opened for modification	C:\Windows\CbsTemp\RCX92AE.tmp	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4756	schtasks.exe
4820	schtasks.exe
3528	schtasks.exe
836	schtasks.exe
4828	schtasks.exe
1708	schtasks.exe
2096	schtasks.exe
5052	schtasks.exe
1900	schtasks.exe
1456	schtasks.exe
2144	schtasks.exe
1804	schtasks.exe
2020	schtasks.exe
2312	schtasks.exe
680	schtasks.exe
4040	schtasks.exe
3660	schtasks.exe
4796	schtasks.exe
1200	schtasks.exe
2532	schtasks.exe
2464	schtasks.exe
1300	schtasks.exe
1792	schtasks.exe
1524	schtasks.exe
3508	schtasks.exe
1236	schtasks.exe
1736	schtasks.exe
2420	schtasks.exe
1964	schtasks.exe
820	schtasks.exe
1288	schtasks.exe
1616	schtasks.exe
5108	schtasks.exe
652	schtasks.exe
4024	schtasks.exe
704	schtasks.exe
4080	schtasks.exe
3996	schtasks.exe
2504	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
3932	powershell.exe
3932	powershell.exe
2816	powershell.exe
2816	powershell.exe
2160	powershell.exe
2160	powershell.exe
1972	powershell.exe
1972	powershell.exe
2912	powershell.exe
2912	powershell.exe
3032	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2928	sihost.exe
Token: SeDebugPrivilege	2808	sihost.exe
Token: SeDebugPrivilege	3120	sihost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2816	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	124
PID 4908 wrote to memory of 2816	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	124
PID 4908 wrote to memory of 3032	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	125
PID 4908 wrote to memory of 3032	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	125
PID 4908 wrote to memory of 4840	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	126
PID 4908 wrote to memory of 4840	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	126
PID 4908 wrote to memory of 3688	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	127
PID 4908 wrote to memory of 3688	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	127
PID 4908 wrote to memory of 3932	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	128
PID 4908 wrote to memory of 3932	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	128
PID 4908 wrote to memory of 2912	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	129
PID 4908 wrote to memory of 2912	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	129
PID 4908 wrote to memory of 1972	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	130
PID 4908 wrote to memory of 1972	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	130
PID 4908 wrote to memory of 1084	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	131
PID 4908 wrote to memory of 1084	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	131
PID 4908 wrote to memory of 552	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	132
PID 4908 wrote to memory of 552	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	132
PID 4908 wrote to memory of 2160	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	133
PID 4908 wrote to memory of 2160	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	133
PID 4908 wrote to memory of 1952	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	134
PID 4908 wrote to memory of 1952	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	134
PID 4908 wrote to memory of 2928	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	146
PID 4908 wrote to memory of 2928	4908	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe	146
PID 2928 wrote to memory of 800	2928	sihost.exe	147
PID 2928 wrote to memory of 800	2928	sihost.exe	147
PID 2928 wrote to memory of 1648	2928	sihost.exe	148
PID 2928 wrote to memory of 1648	2928	sihost.exe	148
PID 800 wrote to memory of 2808	800	WScript.exe	151
PID 800 wrote to memory of 2808	800	WScript.exe	151
PID 2808 wrote to memory of 4604	2808	sihost.exe	152
PID 2808 wrote to memory of 4604	2808	sihost.exe	152
PID 2808 wrote to memory of 1900	2808	sihost.exe	153
PID 2808 wrote to memory of 1900	2808	sihost.exe	153
PID 4604 wrote to memory of 3120	4604	WScript.exe	155
PID 4604 wrote to memory of 3120	4604	WScript.exe	155
PID 3120 wrote to memory of 3056	3120	sihost.exe	156
PID 3120 wrote to memory of 3056	3120	sihost.exe	156
PID 3120 wrote to memory of 3608	3120	sihost.exe	157
PID 3120 wrote to memory of 3608	3120	sihost.exe	157

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\479209f0c1c29081543bd26f368dab20_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Program Files\WindowsPowerShell\sihost.exe
  "C:\Program Files\WindowsPowerShell\sihost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70b96633-ffbd-4b81-96b9-6ca6b6fd7d57.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Program Files\WindowsPowerShell\sihost.exe
      "C:\Program Files\WindowsPowerShell\sihost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2808
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9024aaa3-43b3-43a3-a28c-97518b646736.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Program Files\WindowsPowerShell\sihost.exe
        
        "C:\Program Files\WindowsPowerShell\sihost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc5484eb-0f68-4cfb-ad44-e617f019c317.vbs"
        7⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2d2ad4c-b480-4213-9cb4-6dd8989a5ec1.vbs"
        7⤵
        
        PID:3608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0d661b-e45b-492c-8816-1ce8d8f4de44.vbs"
        5⤵
        
        PID:1900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25f6d89e-27aa-4c99-a721-1ac51dc8db2b.vbs"
    3⤵
    PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\sihost.exe

Filesize
3.2MB

MD5
87ca1359e5ba73c453f7fe161086ec33

SHA1
6df65d42fbe782e7fc9201a3800e969334808e8b

SHA256
ee1156aae26c132f6823f4382bb64f3f9c4b2d1507f539b9e91e8bcfeac4b093

SHA512
3647d20cd312560863694aefc1d33b097fe4069eebd3c78a8a2f6ae9551b147afa55f860fc3a981c85fc093dbc946f7249cd153f7dded0873925cdfafd7a5461

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
3.2MB

MD5
479209f0c1c29081543bd26f368dab20

SHA1
d798dce47d6bc0b3adf95dbe336fbb96170c391e

SHA256
cc2615b9b58bae3bec1e43a267354701673e2e0cd58d953ca1a7390c4a31979e

SHA512
72c45e595f4c9fc707d83e1f03f7590ee2e2f00409b5e4dec828ca2e567e27e0819af00b6126fc9e12920b3f587a9f5c7ab5f9ee7c0b6f3d5f52b8c7718e841c

Download Submit
C:\Recovery\WindowsRE\Registry.exe

Filesize
3.2MB

MD5
f749ae89bf44287b2058612d67564a7b

SHA1
227da6cc2de414b822c9d3c1a1c6840be2ed96d8

SHA256
c442a6fe432f33c35de29dedf4fa3b5014485e030790d340ec8adeba2f06465e

SHA512
63472fb8837b6265aefbebdb06e7463ad161c8ad26da5f85f1d47a1710f01fd2590397c926e66262d3ad4c817927149cb7fa5bb57359a2449fc8ec05087cfbab

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
3.2MB

MD5
b37193d8aeaa7eac23a09b89c385a780

SHA1
9f680334cf68f8d6cf3710cce845090d7062201f

SHA256
e3db7aba4fbc3ae600fae764486aad3fbbf762d5524a5c2c882749739ee842e1

SHA512
3fa6e899a460c8064e14997ff14ce7af03c02e3011cc2c161f537a0106091c4102869060d85dfd5fd86e15927e2da144aec9e8c885b68decd66d982f14285109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\25f6d89e-27aa-4c99-a721-1ac51dc8db2b.vbs

Filesize
497B

MD5
e02eb9ee3b6c54001e0233441ed4fec3

SHA1
47bbefe510f07d7601e93f43fb0ca8d9c9cecb62

SHA256
1b4a39a0438c3a9ca6d41a12afbf8605a3a8b10e5dabcabdf59980894011cc99

SHA512
802e473dbbe698fe9d5b0c390353ecc350c020494a36828beb763d1c3dd4bfd540d90cf34d48b46e4bae721d19309382d7774806e89ab1d3e3d5703e813ddd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\70b96633-ffbd-4b81-96b9-6ca6b6fd7d57.vbs

Filesize
721B

MD5
906da7f9c3fd7e9439eaa23792ffcd41

SHA1
ba7ef92efd469ee8b235fc035728e68acdd644bb

SHA256
25b92f5276a2fc57d4899668790c76a3960d222cd0e68ea61130afe04a0de857

SHA512
2b6305de73b9f472b542114885de96511bc0d729146d007f2d3123273ec5bbf574897d233c94d1941dacc52c35b09ce5d3ecb1eb6e38e36c78ba0a0ce91a55e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9024aaa3-43b3-43a3-a28c-97518b646736.vbs

Filesize
721B

MD5
5924946ebc71b20de0ce7baf617cdce1

SHA1
2fa432b460c1336bd84878cfccfffa830f877efa

SHA256
baef029dda046c20f98a279d98b5068eac632dcb2143e63b83a19196149a24c4

SHA512
d5ea029e63cd96e438e996776b6c6d9cce83ce0aa5d217cc023c6b0cf918a3ae2238988bf874fe300f7b1d89e7c3621a1741b41bf7cb2a261bfb1194fd79dc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqn01iac.zgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc5484eb-0f68-4cfb-ad44-e617f019c317.vbs

Filesize
721B

MD5
c2e4c6c7efeab608d0d4a4ef6a0e88e1

SHA1
0ed8ae5b6a5f440f3c3d0bb13230b9d9d5a34c45

SHA256
f2f2892e5267d6bfcd4fc12e1b07a2eb980201ec6c1e2374a47867d5e05c69f5

SHA512
2dc47c712d0883eff3eef5b811d3efd3ad21c9c9db5f839fb309db6d7833ecb84c47074b9709934ca21a7e8dc6e89ae6d6bc274ff68ae4c5194c53c9a33e9b4a

Download Submit
C:\Users\Default\Links\RuntimeBroker.exe

Filesize
3.2MB

MD5
d7681a18c3b428c54cc9ffd09588d2c5

SHA1
1b289445e270bc0d19a3a98e1d597ac8b9e624c7

SHA256
595c3d7fc8d79e4636f8589bd3297e90531187099232397e23650bcc270f7a5c

SHA512
6fbbe79a7446231f7d11a0eec9c9b415504ede35a7c1dd0faf613078d3fd6fabe400421cd7ae504265de6c688c3573626ec646c4dd1d3b131ee8dced5f01c747

Download Submit
C:\Windows\CbsTemp\Idle.exe

Filesize
3.2MB

MD5
a2e0080a67bc0af6e6fdc38110d35466

SHA1
0710859795e920e38e295acc51bfbd4f401ff7f3

SHA256
d805394d4c38962eeda4dc100e35d57305001b0c3e4d7e86b910a76a615890ad

SHA512
427df49e4c7055bf38c92caa42cbe45594d78f50228005c42c9d86b638ead8cf0e02374be5a0a69b6abf2a0ba08097c6ddf2beb52361535797d29a31fa15ab29

Download Submit
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\SppExtComObj.exe

Filesize
3.2MB

MD5
12406b330285c7d30bca43c121af9394

SHA1
9d325270a5f60ff04dcf1cf7237eed67d11439b6

SHA256
960318677e2d3edd883adae262b2addaefdff5b9b5e373f81f8816aee1364d9b

SHA512
9e8d6faf5a01c0d2916dea949d43bcbdaa01205f011507029549335d3e8cc12e5ec0a7d8e14d9783333b47a7d76c1cc04aeb5bc5b3e33caf1b246a8fb14b82b5

Download Submit
memory/2928-373-0x0000000000210000-0x000000000054C000-memory.dmp

Filesize
3.2MB

Download
memory/3120-421-0x000000001B360000-0x000000001B372000-memory.dmp

Filesize
72KB

Download
memory/3688-271-0x0000017FF69D0000-0x0000017FF69F2000-memory.dmp

Filesize
136KB

Download
memory/4908-14-0x000000001C3D0000-0x000000001C426000-memory.dmp

Filesize
344KB

Download
memory/4908-17-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/4908-24-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

Filesize
48KB

Download
memory/4908-25-0x000000001C750000-0x000000001C758000-memory.dmp

Filesize
32KB

Download
memory/4908-26-0x000000001C4D0000-0x000000001C4DA000-memory.dmp

Filesize
40KB

Download
memory/4908-31-0x000000001C730000-0x000000001C738000-memory.dmp

Filesize
32KB

Download
memory/4908-33-0x000000001C760000-0x000000001C76C000-memory.dmp

Filesize
48KB

Download
memory/4908-32-0x000000001C740000-0x000000001C74A000-memory.dmp

Filesize
40KB

Download
memory/4908-30-0x000000001C720000-0x000000001C72C000-memory.dmp

Filesize
48KB

Download
memory/4908-29-0x000000001C710000-0x000000001C71E000-memory.dmp

Filesize
56KB

Download
memory/4908-28-0x000000001C700000-0x000000001C708000-memory.dmp

Filesize
32KB

Download
memory/4908-27-0x000000001C6F0000-0x000000001C6FE000-memory.dmp

Filesize
56KB

Download
memory/4908-36-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

Filesize
10.8MB

Download
memory/4908-37-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

Filesize
10.8MB

Download
memory/4908-22-0x000000001C4A0000-0x000000001C4AC000-memory.dmp

Filesize
48KB

Download
memory/4908-21-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/4908-20-0x000000001CA20000-0x000000001CF48000-memory.dmp

Filesize
5.2MB

Download
memory/4908-19-0x000000001C460000-0x000000001C472000-memory.dmp

Filesize
72KB

Download
memory/4908-18-0x000000001C450000-0x000000001C458000-memory.dmp

Filesize
32KB

Download
memory/4908-23-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

Filesize
48KB

Download
memory/4908-16-0x000000001C430000-0x000000001C438000-memory.dmp

Filesize
32KB

Download
memory/4908-15-0x000000001C420000-0x000000001C42C000-memory.dmp

Filesize
48KB

Download
memory/4908-0-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

Filesize
8KB

Download
memory/4908-13-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/4908-374-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

Filesize
10.8MB

Download
memory/4908-9-0x000000001BC20000-0x000000001BC30000-memory.dmp

Filesize
64KB

Download
memory/4908-12-0x000000001C4E0000-0x000000001C4F0000-memory.dmp

Filesize
64KB

Download
memory/4908-11-0x000000001BC50000-0x000000001BC58000-memory.dmp

Filesize
32KB

Download
memory/4908-10-0x000000001BC30000-0x000000001BC46000-memory.dmp

Filesize
88KB

Download
memory/4908-8-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/4908-7-0x000000001BC60000-0x000000001BCB0000-memory.dmp

Filesize
320KB

Download
memory/4908-6-0x000000001BBF0000-0x000000001BC0C000-memory.dmp

Filesize
112KB

Download
memory/4908-5-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/4908-4-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

Filesize
56KB

Download
memory/4908-3-0x0000000003040000-0x000000000304E000-memory.dmp

Filesize
56KB

Download
memory/4908-2-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

Filesize
10.8MB

Download
memory/4908-1-0x0000000000D80000-0x00000000010BC000-memory.dmp

Filesize
3.2MB

Download