Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 19:23
Behavioral task
behavioral1
Sample
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe
-
Size
3.2MB
-
MD5
1553f67a0859a3057cde01f77db9dbc0
-
SHA1
2cfe40d1fea16093e16c96a35f3240b98da9a5e1
-
SHA256
a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
-
SHA512
4ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
SSDEEP
49152:vC0Fl8v/911bwaEYpdYUVsk3DZGAy55kBsfJGAW6KyWUcPmWQpE:vC0Fl8v/qXYrv5tG9uKJGAWl5N
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 680 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 892 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 916 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2604 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2712 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2712 schtasks.exe -
Processes:
sppsvc.exesppsvc.exesppsvc.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exesppsvc.exesppsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe -
Processes:
resource yara_rule behavioral1/memory/2380-1-0x0000000000C20000-0x0000000000F5C000-memory.dmp dcrat C:\Users\Default\Downloads\dwm.exe dcrat C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe dcrat C:\Windows\LiveKernelReports\lsass.exe dcrat behavioral1/memory/2612-279-0x0000000001370000-0x00000000016AC000-memory.dmp dcrat behavioral1/memory/2740-302-0x0000000000040000-0x000000000037C000-memory.dmp dcrat behavioral1/memory/2256-314-0x0000000001000000-0x000000000133C000-memory.dmp dcrat behavioral1/memory/2496-326-0x0000000001220000-0x000000000155C000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 940 powershell.exe 1860 powershell.exe 844 powershell.exe 2236 powershell.exe 2028 powershell.exe 664 powershell.exe 2728 powershell.exe 932 powershell.exe 1048 powershell.exe 764 powershell.exe 1592 powershell.exe 1560 powershell.exe -
Executes dropped EXE 5 IoCs
Processes:
sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exepid process 2612 sppsvc.exe 2180 sppsvc.exe 2740 sppsvc.exe 2256 sppsvc.exe 2496 sppsvc.exe -
Processes:
sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sppsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe -
Drops file in Program Files directory 10 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXB01F.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\services.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\RCXB030.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\Update\services.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\Update\c5b4cb5e9653cc 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\en-US\f3b6ecef712a24 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\RCXA8BA.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\Update\RCXA8DA.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Drops file in Windows directory 15 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process File created C:\Windows\LiveKernelReports\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\RCXB92B.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\ShellNew\886983d96e3d3e 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\debug\WIA\smss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\LiveKernelReports\RCXAB8A.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\LiveKernelReports\lsass.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\LiveKernelReports\6203df4a6bafc7 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\LiveKernelReports\RCXAB0D.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCXB707.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\RCXB91B.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\ShellNew\csrss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File created C:\Windows\debug\WIA\69ddcba757bf72 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\RCXB6F7.tmp 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\ShellNew\csrss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\WIA\smss.exe 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1784 schtasks.exe 3024 schtasks.exe 1712 schtasks.exe 2928 schtasks.exe 1808 schtasks.exe 1584 schtasks.exe 2404 schtasks.exe 680 schtasks.exe 2708 schtasks.exe 2204 schtasks.exe 1820 schtasks.exe 2776 schtasks.exe 1632 schtasks.exe 2832 schtasks.exe 892 schtasks.exe 1972 schtasks.exe 2212 schtasks.exe 1432 schtasks.exe 1920 schtasks.exe 2972 schtasks.exe 1848 schtasks.exe 1860 schtasks.exe 916 schtasks.exe 1876 schtasks.exe 2216 schtasks.exe 2072 schtasks.exe 2016 schtasks.exe 2132 schtasks.exe 1348 schtasks.exe 2364 schtasks.exe 2604 schtasks.exe 1788 schtasks.exe 1496 schtasks.exe 1628 schtasks.exe 820 schtasks.exe 2456 schtasks.exe 2460 schtasks.exe 2468 schtasks.exe 1620 schtasks.exe 664 schtasks.exe 1996 schtasks.exe 1812 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
sppsvc.exepid process 2612 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exepowershell.exepid process 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe 664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exedescription pid process Token: SeDebugPrivilege 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Token: SeDebugPrivilege 664 powershell.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2612 sppsvc.exe Token: SeDebugPrivilege 2180 sppsvc.exe Token: SeDebugPrivilege 2740 sppsvc.exe Token: SeDebugPrivilege 2256 sppsvc.exe Token: SeDebugPrivilege 2496 sppsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.execmd.exesppsvc.exeWScript.exesppsvc.exedescription pid process target process PID 2380 wrote to memory of 932 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 932 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 932 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1048 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1048 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1048 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 764 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 764 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 764 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 664 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 664 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 664 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2028 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2028 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2028 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2236 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2236 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2236 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 844 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 844 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 844 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2728 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2728 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 2728 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 940 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 940 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 940 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1860 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1860 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1860 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1592 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1592 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1592 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1560 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1560 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1560 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe powershell.exe PID 2380 wrote to memory of 1792 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe cmd.exe PID 2380 wrote to memory of 1792 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe cmd.exe PID 2380 wrote to memory of 1792 2380 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe cmd.exe PID 1792 wrote to memory of 2112 1792 cmd.exe w32tm.exe PID 1792 wrote to memory of 2112 1792 cmd.exe w32tm.exe PID 1792 wrote to memory of 2112 1792 cmd.exe w32tm.exe PID 1792 wrote to memory of 2612 1792 cmd.exe sppsvc.exe PID 1792 wrote to memory of 2612 1792 cmd.exe sppsvc.exe PID 1792 wrote to memory of 2612 1792 cmd.exe sppsvc.exe PID 1792 wrote to memory of 2612 1792 cmd.exe sppsvc.exe PID 1792 wrote to memory of 2612 1792 cmd.exe sppsvc.exe PID 2612 wrote to memory of 1956 2612 sppsvc.exe WScript.exe PID 2612 wrote to memory of 1956 2612 sppsvc.exe WScript.exe PID 2612 wrote to memory of 1956 2612 sppsvc.exe WScript.exe PID 2612 wrote to memory of 1916 2612 sppsvc.exe WScript.exe PID 2612 wrote to memory of 1916 2612 sppsvc.exe WScript.exe PID 2612 wrote to memory of 1916 2612 sppsvc.exe WScript.exe PID 1956 wrote to memory of 2180 1956 WScript.exe sppsvc.exe PID 1956 wrote to memory of 2180 1956 WScript.exe sppsvc.exe PID 1956 wrote to memory of 2180 1956 WScript.exe sppsvc.exe PID 1956 wrote to memory of 2180 1956 WScript.exe sppsvc.exe PID 1956 wrote to memory of 2180 1956 WScript.exe sppsvc.exe PID 2180 wrote to memory of 1740 2180 sppsvc.exe WScript.exe PID 2180 wrote to memory of 1740 2180 sppsvc.exe WScript.exe PID 2180 wrote to memory of 1740 2180 sppsvc.exe WScript.exe PID 2180 wrote to memory of 1576 2180 sppsvc.exe WScript.exe PID 2180 wrote to memory of 1576 2180 sppsvc.exe WScript.exe PID 2180 wrote to memory of 1576 2180 sppsvc.exe WScript.exe -
System policy modification 1 TTPs 18 IoCs
Processes:
sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sppsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sppsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1553f67a0859a3057cde01f77db9dbc0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZulfStaN0H.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2112
-
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2612 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ffff686-4516-46fa-9f0d-2e8ef0881a28.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28d0c9de-bce9-431f-b7c4-b0c31daffd5d.vbs"6⤵PID:1740
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2740 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ca98162-3d6a-4a27-b81a-fe696b8f376d.vbs"8⤵PID:2272
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2256 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70ce8163-641e-4dd6-9974-4cad816e5fb0.vbs"10⤵PID:2312
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2496 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1966821b-46e2-4bd3-92f2-7358e42a5a80.vbs"12⤵PID:2500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfd4f19f-9276-44f0-8e38-404f7146c46b.vbs"12⤵PID:1852
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\148b7e11-ee7d-4d81-9d9a-eabcd024a733.vbs"10⤵PID:2688
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8526f789-beb6-40ef-aee9-a6b5bb5143da.vbs"8⤵PID:2888
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a34004e5-db2d-4197-a3fe-47162cebb188.vbs"6⤵PID:1576
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023fb7b8-b690-4d75-b756-fba66941e125.vbs"4⤵PID:1916
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5325ab4cde5aecfae8d6ec0b25d8d3b91
SHA19761ef61579af9d336742d9713c97e4f25754fc4
SHA256962b6e4d5391f0fb417f483f3da6158cb235348990910b9febb4838795a0220f
SHA51225997b198f35f043c635f5cedc2f3c6a680c64d8ca5772d48229f25cc3503ce03ef6070b2c2d8c1a4d203a2fb39e37869d8eee6838ffbedd9c0ef87211bc6cd3
-
Filesize
511B
MD5fd89b79f32faf02cd4d131f6f4791064
SHA13261963b0ed0d6266b96e3a00607ce733d5b1361
SHA256cc163745e88b36f2b7c651051b417a559e4f796b7f2fc915b973d1311a7910e0
SHA512695bbae3fcdce21a58e65043f1797f0113417f3aa096ca4f1ea4b02ac473a93c0c397f816b4b38c3d32893007a9fb044329e47cc68c2bc63948d0959a89f7b08
-
Filesize
735B
MD55a1cfab63fa8629e8415bf53e0ed3c2f
SHA123b44f80af6f3a376030049e67de00cd59dd3a4e
SHA256d387f5a447458c34771372eb5ffedede135ed4dece4112ebb5a14a555254bb86
SHA512fa5e205632fc2cfd239c8b11bd120f20e3f9f8bd2d79a94af61758d11c8630bed749fc0511eb79239026d58ead7eecd224f48439a910584b6b060def7a45e250
-
Filesize
735B
MD5f79903abd422c2d05a57205ee5907433
SHA1835d541b79cd08c240c6b4898b71f2942fad49ca
SHA2564d85ca388a8d39d12bcf3214a39bdf600e045068d0a4b360771f82933135317b
SHA512cc1b78918e5352a69ffcd9e65006536090db118a6ba7c82f2652a530cb76083c4c9bf4a7aa0d722e94a7ff4b53ac8bf9885c8cecb2fef7916c1711c32fcae9f0
-
Filesize
735B
MD587716e5f6941d601eee2e1a6652caedc
SHA16aa60dff27d85a70d48e13b2d56e14dfad0de977
SHA25612a52b4638715aae2fe948cca42454cab337c1a122415d039de252cf4bec9a20
SHA5122f4c7fb0b3dc91caa425a6661dff694a29115e77142a1debea6ce49c960b98ffb89bc92a77897f248b57f22319652d764cb26c8c81c4c8f4e0bfff4b89be2638
-
Filesize
735B
MD5e83026a7357a2e644a6438dcbc26caef
SHA1554c63ddbc4fd1e65a8ecc37d1170e45fe009831
SHA256b69ea6fd70dd4a4979a7a4b1e0323e697498baf9f4d3ee94162af114f6a5dba0
SHA512681b36ae2ab98ddb5395e13add638f954388e67ee65dffa78ddfc50671995af935269e3b6eb2c470b66dff992ee674a220f6acdb47924d323f34e009fb7c91fe
-
Filesize
735B
MD56cc7946cc438d7ab70de9c1dff330f88
SHA1cc022a49a848c30af0680f4780b99eb55c9ff6b8
SHA256dc445a3723df2b7f574eb8ff8b367c36c98819788d36599f4eef7fdf9d7d6f20
SHA5125fa3424636b72cbcaaaa8d483669147ac950790caf2d3c3db12ef4be9075e89ba97cd393e6f553cfbd13fdd2b3fcd482ee1aadcffb4ea5dbfe1d167e8f17edaa
-
Filesize
224B
MD545195d6b4979756c0ad21b67b9e1831e
SHA182db6ac0e69e5424667955c258e4937baf0749a6
SHA25694321fadc372ec3ae98a7c1b86c60301f380d14a5083c5d39d7acdffa4418ad1
SHA5127f63b69ec74b94b97409a138a4dbca5b0ac15b25070e09e7bce3c7b695778146307a0322ea769c4f97b3e0a89fd756e85565b873b973030e69bcca765da4a96a
-
Filesize
3.2MB
MD51415988fb81427713469cc9232c1410e
SHA1b5ef5fe6d4c8fd6e999fc9c3aba4e248c832abb2
SHA25653c5ad2b80527745e383b5e13dc55612089ee5b8f7d618d0e0ed190605f79482
SHA512b0492f41e6cf2104958b59eea7a6e58c767e9bb1970b6076bf2bffa17e41071cb897357661da77a185acae0340ac58e71f17c21388eeac42bf8c1e693331c0d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fb52e6e949decc6a10e4aa81a379c4a7
SHA1068a4772951abb25314c24159cff8214b2ab4269
SHA256fed2bdbdb506bca7f2086a718c56a682b9a4de8f1cc8942890ea254fb4f72727
SHA512191e474a8cc287f6180a628365b2639a58c8587caac9e173048257a8734d0deba1ac1a45495f6ef72b98bcec1aae99b0ed02ba8e3c38712cdb4c385bc9a9a93c
-
Filesize
3.2MB
MD51553f67a0859a3057cde01f77db9dbc0
SHA12cfe40d1fea16093e16c96a35f3240b98da9a5e1
SHA256a9ac10090fed177df3867fc88eda57dd852c595dde10953b7b798523e1043152
SHA5124ff68e4ad4299aa2ca2be8dfd1742d641cf9aee6b687f94b1e3c68062630b2e167a13550a8a184c8ff5a3df1da5b3182ebd29759a84a219af37a8688df6f0de5
-
Filesize
3.2MB
MD53023d473a232c30ac5508e987117dcfa
SHA1b1281d49ec300fbb81b116915205e3df11b22b1e
SHA25600580a7b6017eaa317ea0ecb26fb3249cd8b53e5b6e02041f7b4d0790aaa6c7e
SHA5120e5147b8c73c986fca106bc9ffeba969392dd88cd6c90e1d8172b730f544ed593731f666d87f5a54693fed9cc120e0f2a597045bbdba04c377f04d8ee5a3b828