dcrat | b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Size

2.7MB
MD5

57a247f9f8794206cc585e249c645a30
SHA1

62181064bcea86150b2bc7c800c026b3e8054aa3
SHA256

b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2
SHA512

f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da
SSDEEP

49152:qH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:qHfE5Ad8Xd295UmGc

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\", \"C:\\Users\\Admin\\Favorites\\taskhost.exe\", \"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\", \"C:\\Program Files\\Java\\jre7\\lsm.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\", \"C:\\Users\\Admin\\Start Menu\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\", \"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\", \"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\", \"C:\\Program Files (x86)\\Google\\services.exe\", \"C:\\Program Files\\Windows Sidebar\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2736	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2736	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2492-1-0x0000000000EF0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/files/0x0006000000017387-35.dat	dcrat
behavioral1/files/0x000700000001865b-123.dat	dcrat
behavioral1/files/0x00060000000186cf-134.dat	dcrat
behavioral1/files/0x000a00000001922d-175.dat	dcrat
behavioral1/memory/1468-186-0x00000000011A0000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	services.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Mail\\es-ES\\dllhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Java\\jre7\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Default\\Documents\\My Pictures\\lsm.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Admin\\Favorites\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\taskhost.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\Idle.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\services.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\ed850442-d104-11ee-9c57-c695cbc44580\\explorer.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\smss.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\Start Menu\\lsass.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\sppsvc.exe\""	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\c5b4cb5e9653cc	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\RCX3401.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Java\jre7\lsm.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\dllhost.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Windows Sidebar\c5b4cb5e9653cc	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX3604.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\c5b4cb5e9653cc	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\es-ES\5940a34987c991	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX3EFE.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Google\RCX43E0.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX4C5C.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX4E60.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Windows Mail\es-ES\dllhost.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\lsm.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\101b941d020240	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX2D88.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX4651.tmp	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2796	schtasks.exe
472	schtasks.exe
2748	schtasks.exe
2848	schtasks.exe
2572	schtasks.exe
2160	schtasks.exe
624	schtasks.exe
2520	schtasks.exe
280	schtasks.exe
496	schtasks.exe
2372	schtasks.exe
2916	schtasks.exe
2056	schtasks.exe
1476	schtasks.exe
2728	schtasks.exe
2904	schtasks.exe
1324	schtasks.exe
2424	schtasks.exe
1636	schtasks.exe
2220	schtasks.exe
1684	schtasks.exe
648	schtasks.exe
2460	schtasks.exe
1808	schtasks.exe
2280	schtasks.exe
1596	schtasks.exe
2196	schtasks.exe
2896	schtasks.exe
1136	schtasks.exe
412	schtasks.exe
1708	schtasks.exe
2708	schtasks.exe
2936	schtasks.exe
1264	schtasks.exe
1688	schtasks.exe
1460	schtasks.exe
1356	schtasks.exe
1212	schtasks.exe
1676	schtasks.exe
2712	schtasks.exe
1868	schtasks.exe
780	schtasks.exe
2996	schtasks.exe
856	schtasks.exe
576	schtasks.exe
2948	schtasks.exe
2140	schtasks.exe
2208	schtasks.exe
2016	schtasks.exe
2212	schtasks.exe
2028	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	services.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
2288	powershell.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe
1468	services.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1468	services.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2288	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	80
PID 2492 wrote to memory of 2288	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	80
PID 2492 wrote to memory of 2288	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	80
PID 2492 wrote to memory of 1468	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	82
PID 2492 wrote to memory of 1468	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	82
PID 2492 wrote to memory of 1468	2492	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe	82

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57a247f9f8794206cc585e249c645a30_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Program Files\Windows Sidebar\services.exe
  "C:\Program Files\Windows Sidebar\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre7\lsm.exe

Filesize
2.7MB

MD5
57a247f9f8794206cc585e249c645a30

SHA1
62181064bcea86150b2bc7c800c026b3e8054aa3

SHA256
b0b428f37e12d95bc74fb16db83d51c3f16f4cf5121061a1b4b84fd1e13180e2

SHA512
f0fb8bdebce741d8aeee50243899d5f2e4c5bc4be16d7a2c40fa5400deec37945382ea34ed888c8920461ce42a1f50e55e57b28e9132e76b7267ea36945ca3da

Download Submit
C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe

Filesize
2.7MB

MD5
2aba29fb0547ccd9ceca78fd2775502e

SHA1
ed9a1b97e1131e5649990e72267593dc6f68c66d

SHA256
d23aee48e2a09bd96b12f9a921ae8b9a42d41d854c9338bd66b75c5399bd6deb

SHA512
5095b9b8addf78212a74a6df79aa843e67231755984c0aa45cfa7bd13a6c405a0b132f20631933dec28290737d17345261a1aa6c308b8d342360d553f8f088d0

Download Submit
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\Idle.exe

Filesize
2.7MB

MD5
13990a3ac73e1d814da94d3d141a7487

SHA1
68da3ec90ed58854b51679ac2d3f7293c145f341

SHA256
2d7e9e3c60ec2ed4376b2ccefe83bf8836352b094865761aec39ae1e85cb0f6a

SHA512
0b46b28833500a5bf67db7b12e846edaa92b67db9577dbe1d3189f32e004c9b984b9b117c438bb6ac047220f1abd07c94c3fada9328733afa24b2d8a83b40930

Download Submit
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\smss.exe

Filesize
2.7MB

MD5
33f550e3f6961449918a702dbd733ab7

SHA1
637a107980a078c242f6a821b683458302754863

SHA256
23a4c3d43695572aa558e5f8c400adc2a9987bb57e83a066093359356793d59f

SHA512
8fefdc7fbeec3ce2226e63a418656e23a199ed18804929c18f9dbd50400e2aae898cc0cdd28bdc84c7759dcad638e9b9ae450504074ee61902410a8e6dd5471d

Download Submit
memory/1468-186-0x00000000011A0000-0x0000000001460000-memory.dmp

Filesize
2.8MB

Download
memory/2288-188-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2288-189-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2492-16-0x000000001A990000-0x000000001A998000-memory.dmp

Filesize
32KB

Download
memory/2492-20-0x000000001A9D0000-0x000000001A9D8000-memory.dmp

Filesize
32KB

Download
memory/2492-9-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2492-10-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/2492-11-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2492-12-0x000000001A930000-0x000000001A986000-memory.dmp

Filesize
344KB

Download
memory/2492-13-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/2492-14-0x000000001A980000-0x000000001A988000-memory.dmp

Filesize
32KB

Download
memory/2492-15-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/2492-0-0x000007FEF5363000-0x000007FEF5364000-memory.dmp

Filesize
4KB

Download
memory/2492-17-0x000000001A9A0000-0x000000001A9AC000-memory.dmp

Filesize
48KB

Download
memory/2492-18-0x000000001A9B0000-0x000000001A9BC000-memory.dmp

Filesize
48KB

Download
memory/2492-19-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

Filesize
32KB

Download
memory/2492-8-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2492-21-0x000000001A9C0000-0x000000001A9CC000-memory.dmp

Filesize
48KB

Download
memory/2492-22-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

Filesize
48KB

Download
memory/2492-23-0x000000001AA00000-0x000000001AA08000-memory.dmp

Filesize
32KB

Download
memory/2492-24-0x000000001AA10000-0x000000001AA1A000-memory.dmp

Filesize
40KB

Download
memory/2492-25-0x000000001AA20000-0x000000001AA2C000-memory.dmp

Filesize
48KB

Download
memory/2492-26-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-7-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/2492-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2492-6-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2492-4-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2492-3-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/2492-2-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-1-0x0000000000EF0000-0x00000000011B0000-memory.dmp

Filesize
2.8MB

Download
memory/2492-187-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download