Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 04:00
Behavioral task
behavioral1
Sample
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
77177c57df58a82f289add0cf57ea320
-
SHA1
38c0414cb96be176cdf3b965b870bdf5de04f4a4
-
SHA256
6f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50
-
SHA512
67161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2356 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 640 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 760 2624 schtasks.exe -
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe -
Processes:
resource yara_rule behavioral1/memory/2956-1-0x00000000011F0000-0x00000000014D6000-memory.dmp dcrat C:\Windows\Tasks\spoolsv.exe dcrat behavioral1/memory/932-151-0x00000000011E0000-0x00000000014C6000-memory.dmp dcrat behavioral1/memory/2928-162-0x0000000000380000-0x0000000000666000-memory.dmp dcrat behavioral1/memory/2000-174-0x0000000000AD0000-0x0000000000DB6000-memory.dmp dcrat behavioral1/memory/2300-188-0x00000000013A0000-0x0000000001686000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1992 powershell.exe 2172 powershell.exe 876 powershell.exe 1488 powershell.exe 2248 powershell.exe 2076 powershell.exe 2088 powershell.exe 2224 powershell.exe 1356 powershell.exe 1060 powershell.exe 2220 powershell.exe 1208 powershell.exe -
Executes dropped EXE 11 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 932 smss.exe 2928 smss.exe 2000 smss.exe 2300 smss.exe 1604 smss.exe 1960 smss.exe 2928 smss.exe 3016 smss.exe 2020 smss.exe 1316 smss.exe 2784 smss.exe -
Processes:
smss.exesmss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Drops file in Program Files directory 8 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Windows Defender\29de1ba23f4c1c 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXB211.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\RCXB657.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\69ddcba757bf72 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exedescription ioc process File created C:\Windows\Tasks\spoolsv.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File created C:\Windows\Tasks\f3b6ecef712a24 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Windows\Tasks\RCXBAEB.tmp 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe File opened for modification C:\Windows\Tasks\spoolsv.exe 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2400 schtasks.exe 2020 schtasks.exe 956 schtasks.exe 2684 schtasks.exe 3060 schtasks.exe 2408 schtasks.exe 1672 schtasks.exe 640 schtasks.exe 760 schtasks.exe 2780 schtasks.exe 2356 schtasks.exe 2424 schtasks.exe 1200 schtasks.exe 2344 schtasks.exe 1508 schtasks.exe 2656 schtasks.exe 2116 schtasks.exe 2460 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exepid process 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe 1488 powershell.exe 876 powershell.exe 2224 powershell.exe 1992 powershell.exe 2248 powershell.exe 1208 powershell.exe 2220 powershell.exe 2172 powershell.exe 1356 powershell.exe 2076 powershell.exe 1060 powershell.exe 2088 powershell.exe 932 smss.exe 2928 smss.exe 2000 smss.exe 2300 smss.exe 1604 smss.exe 1960 smss.exe 2928 smss.exe 3016 smss.exe 2020 smss.exe 1316 smss.exe 2784 smss.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exedescription pid process Token: SeDebugPrivilege 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2172 powershell.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 932 smss.exe Token: SeDebugPrivilege 2928 smss.exe Token: SeDebugPrivilege 2000 smss.exe Token: SeDebugPrivilege 2300 smss.exe Token: SeDebugPrivilege 1604 smss.exe Token: SeDebugPrivilege 1960 smss.exe Token: SeDebugPrivilege 2928 smss.exe Token: SeDebugPrivilege 3016 smss.exe Token: SeDebugPrivilege 2020 smss.exe Token: SeDebugPrivilege 1316 smss.exe Token: SeDebugPrivilege 2784 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
77177c57df58a82f289add0cf57ea320_NeikiAnalytics.execmd.exesmss.exeWScript.exesmss.exeWScript.exesmss.exedescription pid process target process PID 2956 wrote to memory of 876 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 876 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 876 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1488 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1488 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1488 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1356 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1356 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1356 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2248 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2248 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2248 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1992 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1992 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1992 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2076 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2076 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2076 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2224 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2224 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2224 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2088 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2088 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2088 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2220 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2220 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2220 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1208 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1208 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1208 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2172 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2172 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 2172 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1060 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1060 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1060 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe powershell.exe PID 2956 wrote to memory of 1212 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe cmd.exe PID 2956 wrote to memory of 1212 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe cmd.exe PID 2956 wrote to memory of 1212 2956 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe cmd.exe PID 1212 wrote to memory of 2628 1212 cmd.exe w32tm.exe PID 1212 wrote to memory of 2628 1212 cmd.exe w32tm.exe PID 1212 wrote to memory of 2628 1212 cmd.exe w32tm.exe PID 1212 wrote to memory of 932 1212 cmd.exe smss.exe PID 1212 wrote to memory of 932 1212 cmd.exe smss.exe PID 1212 wrote to memory of 932 1212 cmd.exe smss.exe PID 932 wrote to memory of 1944 932 smss.exe WScript.exe PID 932 wrote to memory of 1944 932 smss.exe WScript.exe PID 932 wrote to memory of 1944 932 smss.exe WScript.exe PID 932 wrote to memory of 632 932 smss.exe WScript.exe PID 932 wrote to memory of 632 932 smss.exe WScript.exe PID 932 wrote to memory of 632 932 smss.exe WScript.exe PID 1944 wrote to memory of 2928 1944 WScript.exe smss.exe PID 1944 wrote to memory of 2928 1944 WScript.exe smss.exe PID 1944 wrote to memory of 2928 1944 WScript.exe smss.exe PID 2928 wrote to memory of 1308 2928 smss.exe WScript.exe PID 2928 wrote to memory of 1308 2928 smss.exe WScript.exe PID 2928 wrote to memory of 1308 2928 smss.exe WScript.exe PID 2928 wrote to memory of 2856 2928 smss.exe WScript.exe PID 2928 wrote to memory of 2856 2928 smss.exe WScript.exe PID 2928 wrote to memory of 2856 2928 smss.exe WScript.exe PID 1308 wrote to memory of 2000 1308 WScript.exe smss.exe PID 1308 wrote to memory of 2000 1308 WScript.exe smss.exe PID 1308 wrote to memory of 2000 1308 WScript.exe smss.exe PID 2000 wrote to memory of 1556 2000 smss.exe WScript.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exesmss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NSYlrSDHvc.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:932 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df05749b-c94a-476d-a081-047e5740dd50.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ead6ea0-b8fa-4f8a-941f-ddd9fe778879.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ce475e-3b5c-4019-874a-e6e9956c7aec.vbs"8⤵PID:1556
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2300 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d2c230-cd90-4b4d-bef2-cda5bc7b696c.vbs"10⤵PID:2532
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1604 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4578d820-2196-4807-8aa1-d5ef17846719.vbs"12⤵PID:2712
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7987e51e-b237-4c21-81a0-ec1103874081.vbs"14⤵PID:1096
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3b81ec-fd6d-4a47-a8a4-99e1c70d3700.vbs"16⤵PID:1332
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6989dedd-1733-4474-98ae-52ae672c66a8.vbs"18⤵PID:2164
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2020 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89bbda9a-40f1-4c53-89c9-8b118e97a2ca.vbs"20⤵PID:2552
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1316 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c53fb3ab-c954-423b-bb9c-b94a59af7adb.vbs"22⤵PID:1620
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe"23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2784
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b0d570b-4e5d-4ad0-827b-8dcbebf755dc.vbs"22⤵PID:2092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bce22cb9-15f5-4814-b3dd-2efee98889ac.vbs"20⤵PID:2660
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca974ef-38c4-49d8-952f-8d155dbf3157.vbs"18⤵PID:2956
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5d8313e-ae13-4961-80be-e0249bac97ad.vbs"16⤵PID:2820
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efa4cdb9-e6f3-4885-bea2-fe85dfe7509d.vbs"14⤵PID:2120
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e268aaf4-7551-4e63-b7cf-c5181cc67c16.vbs"12⤵PID:1640
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d74cfe-6e63-4790-a116-a98c0cba4e7e.vbs"10⤵PID:1356
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8bdcd86d-968a-4d15-b021-fd669d5de177.vbs"8⤵PID:420
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c33fb198-4d93-4b09-92fe-0d4b8d7cd14b.vbs"6⤵PID:2856
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e449166-312f-4a96-948d-454e69cd4488.vbs"4⤵PID:632
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "77177c57df58a82f289add0cf57ea320_NeikiAnalytics7" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\77177c57df58a82f289add0cf57ea320_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533B
MD53b46663bd9409a4d5a22fab5daea11fe
SHA156d59ffd0d11e8aaa79e69058d03b6ebd3dd54ef
SHA256c52ac9970358875940a468dd3a1a418d12fe448e4619dde66944bca2c3f21f3e
SHA5125537fef5974182dea18d4abb567f7432f066b4a98f537eb8384e9db8ae702275b801a7d3940e9d1dda1ac0e957e4931098f7916c0f28a581003595b923fad058
-
Filesize
757B
MD5b3f15b6e5f0fbdc44176c581848180ec
SHA13828f9378d7adb4af195d31c076ddaf8e188e521
SHA256ad721e532ac6ea912947f156f557694e0777df08bfcae9194748cab20c29c152
SHA512610a8e4d59698ba41b34b74e00078f884fb12c699b55d09e22f06659b9b1396a236bd6a3f5cb8692d5856ef229faaf4f0371bd22261bfef442b79316f3cc75aa
-
Filesize
757B
MD5d5e1361cb219df8a17e0ff25774e5e81
SHA13e7c71493cb188abf3cf5b13f91864dfd038a369
SHA25650a87e7f18a09a7a99f2b6348e46e1143e92bdd048293f98c50998088d62a502
SHA512762ed11b5c541a16d7e1d8a10f04ec03af2f7e82a65eb7874f18dbe5b5b4b2ee84af6d93af987ab0f15e87f68b4a0a4f2d8728c0b209f009424a42371a4df916
-
Filesize
757B
MD5c243ac1bccddadaf46f026a5e833cb0a
SHA16c1517e189c0b11abff7636cf92b1dee7687d7a4
SHA256c5af9aab41c0127991f583bcae0ec8052e6e7e1307b006f104a5a697a5c235bf
SHA51206759e8dd22be2cc2c662b89b8ec1d27c1410c1d3599328066d0de6460a1f985eda452496f09cd64663e20efb6e598cdab96ac50ef171dfa0088aee2b332df36
-
Filesize
757B
MD51439365a6bee164ea7e23c8600886d28
SHA1ccf6ba75307926f9927afbc8b50ced7cf1d80a4f
SHA2565e0112998b84f4c4af25f49d9dbfde0ac57e78e98cdffa73fccc1c276362938c
SHA5128b83690942ece02a6e1d8340067526823841bf308bfc2bf1660aa689e8c7ecaced1327fc3ef42a039ce03a67f65b4d82f699a6262ff36d1cc5478ec2d9059a19
-
Filesize
757B
MD5b2bfa61e5bbecba719d79777c2c1dcd1
SHA178540f7aac1fe3a76ee96c3755b83685bb9bf508
SHA256708fef2e01a5d24107aa51fb9a67742ea3f452a38640948112ac8344d345ad5b
SHA5122189d9e3e1abbf5c900c0dadb9963cf2760c579b4fce2e760b9e5ad002bd84787c7c76f0c32555dfdf0aa9db16e308636490afcee44ddcd52fb1dbfba4268de5
-
Filesize
246B
MD5b5e1b25d6703802691b09f279bd244cc
SHA164cf29afb66b4d9ad6a53ca1823f3f93faa7553e
SHA2564781b69649e4577cc156216a08ee7784ba42525bc0e07fd527a6b789a4f654f6
SHA512ef128b52a843078d1740b85baea31b8cce5a518f43ee485b1102fe5d51306d7fc40e3e7c9304136dd3bcd4157b15976753ab374cffdbe58aa77e4851737e3bd9
-
Filesize
757B
MD58c557810af07a667830a777d649489a4
SHA1cc6856fca8b64acd4c338a7c931c2f78b07903cf
SHA2567331c92b9c9ff4d89257178ee3363523463b9a6a1c7a347a5ba2381e42102f9e
SHA512a237cdc6cb2ae0fc9d026cb8d2dcf545516473d73b44a5472b2bdbf7c76933c8812b55a84a3d95d6fffc68659da0fa5bd130f6f2b896707d0c3c0b9ab5f772c4
-
Filesize
757B
MD51eab897d4cf16399e4d3e8caa946260a
SHA1f21214f29fcb1e1d68ed7bfd1079802eb1aad4df
SHA256cd3255112060797c4175cc9dd8bbc8cbd3d3de3e40720d9d53dc8cc4365015db
SHA512c8a7f8ee85c4baf77eb110aba27f7217452d497c057a33b24ee08a96c612659124cd8726556c0300346e49a0fb67d6ec8b588ff61034a1f7ffd94ee507225e10
-
Filesize
757B
MD5f93fce99bf895ab2ae0e60bd21d926dd
SHA100894d71ad243c6db63523ae79b0040602f84758
SHA256fdad219b13e3eb6f79591870c9013751f7ef0a1d357d144d1dfba7e50c4de827
SHA512b9958f29b21a28ecbfe8b61942db7859dde473b24cae0931a4f95fd5517eaaa24b80dbc8df07353e08cc05a6def9fb7526ac465095d792639b5a04aa7a584bf7
-
Filesize
756B
MD5f43f19396258bb3eb3fa8f161883bee1
SHA155d3deda3b776f0887e00a20badc222f50d88f74
SHA2565346adecabd6a214eeb7399387f401ec8990ac5f2492e15fbbf5d90605dee025
SHA5125e763aa331fd7f1cc06170bc02eb65deca570f63bfef1da0df280cbb24d7322aa43aee9b9b5a23bea59646de9edeaba7508f595138fafcab0fd125d59f3d56ad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VRKB82U7YXKIJ1GJPAZJ.temp
Filesize7KB
MD5b71c3cf0cafedcb7f3a0b2da4be06c53
SHA16fe4683ae0ccf2f2c045768d84c879ad8982ad30
SHA2562f3d03332075a2edd39783e41e8e18e32f92f3033f3746b76ec92d228069e8fc
SHA51214177f2c895e3b436a9380bbc6b6aca72663d4b0a4c928cd80a8a316c7c32066c35b1d13c047ae7f445f73499d8b271fabc059152ad198f8a3c36c53145da81b
-
Filesize
2.9MB
MD577177c57df58a82f289add0cf57ea320
SHA138c0414cb96be176cdf3b965b870bdf5de04f4a4
SHA2566f250581eae818938c64c4afa3446c7c36dfadda1d8b8ba20870ad0e05c7fe50
SHA51267161531bc39774e219b77de3166c3216ff962ca81af0982a44a502bd25d333aa742f8fca8e5720d91b4e69ddd6c829a0e014b94f7af89d1ceb601691dd2c9b6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e