Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 02:40
Behavioral task
behavioral1
Sample
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe
-
Size
952KB
-
MD5
5c8aee7bbd1b09e31178be12bc847c30
-
SHA1
5cc34074f6c74cb0cbb3d282e9360a2d2eace451
-
SHA256
e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176
-
SHA512
199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b
-
SSDEEP
24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:x8/KfRTK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\", \"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\", \"C:\\Windows\\System32\\wkssvc\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 2092 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 2092 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4324 2092 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4484 2092 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4260 2092 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2092 schtasks.exe -
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe -
Processes:
resource yara_rule behavioral2/memory/1624-0-0x0000000000730000-0x0000000000824000-memory.dmp dcrat C:\Windows\System32\wkssvc\winlogon.exe dcrat C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe dcrat C:\Program Files\Windows Multimedia Platform\services.exe dcrat C:\Windows\System32\wkssvc\winlogon.exe dcrat behavioral2/memory/3396-108-0x00000000009D0000-0x0000000000AC4000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 3396 winlogon.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Processes:
winlogon.exe5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Drops file in System32 directory 10 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process File created C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Windows\System32\wkssvc\winlogon.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\CourtesyEngine\RCX4C6C.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\wkssvc\winlogon.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Windows\System32\CourtesyEngine\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Windows\System32\wkssvc\cc11b995f2a76da408ea6a601e682e64743153ad 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\CourtesyEngine\RCX4CDB.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\wkssvc\RCX55CB.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Windows\System32\wkssvc\RCX5639.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Drops file in Program Files directory 15 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5358.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\services.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX50E5.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX50E6.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\e6c9b481da804f07baff8eff543b0a1441069b5d 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\RCX4EDF.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\services.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530fba3a93e87ae2225c7032aa18c1 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\RCX4EE0.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX53C6.tmp 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4200 schtasks.exe 4956 schtasks.exe 4324 schtasks.exe 4484 schtasks.exe 4260 schtasks.exe 2696 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exepid process 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exewinlogon.exedescription pid process Token: SeDebugPrivilege 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Token: SeDebugPrivilege 3396 winlogon.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.execmd.exedescription pid process target process PID 1624 wrote to memory of 3308 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe cmd.exe PID 1624 wrote to memory of 3308 1624 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe cmd.exe PID 3308 wrote to memory of 2312 3308 cmd.exe w32tm.exe PID 3308 wrote to memory of 2312 3308 cmd.exe w32tm.exe PID 3308 wrote to memory of 3396 3308 cmd.exe winlogon.exe PID 3308 wrote to memory of 3396 3308 cmd.exe winlogon.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vM0j4Io8uK.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2312
-
-
C:\Windows\System32\wkssvc\winlogon.exe"C:\Windows\System32\wkssvc\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3396
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wkssvc\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
952KB
MD5abbd2e2a8e9e0261a691954549ae61f6
SHA183356ed1b70c648a572021c64b3886f159a5c372
SHA256471d881f51a97441cf1e2c6b7eadef7b7f6529f39b21727063e6d251bfebdac2
SHA5125ee1947cc142647cca1530b9f32eefe83fcdffa383c68abcd5509f2f35c5e561479a2db9722ebaaa805c346c8fc7e64d9dc92a8bc65119d51ed482ffb14f9cbe
-
Filesize
203B
MD5a18b9913edabe9e46862fbc4cfb905da
SHA1223c385ab83c5532cb5e0c4b47688802e91d8bd1
SHA2566c11edd23a73a838900925a7c13cc91b65cbb29d5e462fd11baf529983b8a5d1
SHA51269cd45ad5d89d98f49ef91d12900a6cb41a79a7f7bd07add7d405378c8b20b3e1d219524ad83dae7ae68dc312b2dcf11a911a8c2e51f0c235efd782a216e9284
-
Filesize
952KB
MD5d8729f973371760712beda1965bf0520
SHA18f1855c5f8ac1febe24f6af3da2b7d6ac4817670
SHA256871cfcee83562d01ae83a617737d99f8c72d8b8894d45f914bb230c952175557
SHA5129190c2e5933ad9a5af8264ef110560b0ebe6e9ba091a76555afec811c980fb2dc6649902e4b4bf909c676654b1b0fdd06b28535395c5c4bcc02109a4986ad57f
-
Filesize
952KB
MD55c8aee7bbd1b09e31178be12bc847c30
SHA15cc34074f6c74cb0cbb3d282e9360a2d2eace451
SHA256e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176
SHA512199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b
-
Filesize
952KB
MD569281edf3c1d6fd7af854b470c68e4dd
SHA1d9d55602bc3e1dbebc4ebe1b0bd28935729f7ed3
SHA256d8cc455a42e5f056431b1db5582d0452983a67ebdadce42f3c05feb3d7b32421
SHA51251883a5bdf9f334642491ee1e14adbe8de6384365536ae015582df9d644fcd29f3a11864287f373927f89211d67fa45cb4c90870fc6a6f01ba19e290f902b5e1