Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 07:48
Behavioral task
behavioral1
Sample
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
a76c3992f0ce41945386691b991de4f0
-
SHA1
694416f5f2cc6579af87f08175b52f9039930972
-
SHA256
92e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
-
SHA512
6f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870
-
SSDEEP
49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2192 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1648 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1216 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2516 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2516 schtasks.exe -
Processes:
services.exeservices.exea76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe -
Processes:
resource yara_rule behavioral1/memory/2768-1-0x0000000000AE0000-0x0000000000DC6000-memory.dmp dcrat C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe dcrat C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe dcrat behavioral1/memory/324-189-0x00000000002B0000-0x0000000000596000-memory.dmp dcrat behavioral1/memory/2544-202-0x0000000000CE0000-0x0000000000FC6000-memory.dmp dcrat behavioral1/memory/1780-250-0x0000000001340000-0x0000000001626000-memory.dmp dcrat behavioral1/memory/2168-273-0x00000000002C0000-0x00000000005A6000-memory.dmp dcrat behavioral1/memory/320-286-0x0000000000EC0000-0x00000000011A6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1572 powershell.exe 1604 powershell.exe 2396 powershell.exe 2584 powershell.exe 2204 powershell.exe 2740 powershell.exe 2808 powershell.exe 1608 powershell.exe 2196 powershell.exe 2692 powershell.exe 3064 powershell.exe 3060 powershell.exe -
Executes dropped EXE 9 IoCs
Processes:
services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exepid process 324 services.exe 2544 services.exe 1484 services.exe 2472 services.exe 1924 services.exe 1780 services.exe 1552 services.exe 2168 services.exe 320 services.exe -
Processes:
services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exea76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeservices.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services.exe -
Drops file in Program Files directory 16 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Adobe\1ccdc59d64bdbd a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\images\sppsvc.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\RCXC5BA.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\lsm.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Google\Chrome\101b941d020240 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\smss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Windows Journal\69ddcba757bf72 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\RCXB85C.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Google\Chrome\lsm.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\smss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\images\0a1fd5f707cd16 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\images\RCXC194.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\images\sppsvc.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Journal\RCXC7DD.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe -
Drops file in Windows directory 13 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exedescription ioc process File created C:\Windows\diagnostics\lsm.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\ModemLogs\886983d96e3d3e a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\RCXB1B5.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\RCXB649.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\servicing\Editions\spoolsv.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\servicing\Editions\f3b6ecef712a24 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\ModemLogs\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\servicing\Editions\RCXBA6F.tmp a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File opened for modification C:\Windows\servicing\Editions\spoolsv.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe File created C:\Windows\ModemLogs\csrss.exe a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 840 schtasks.exe 1136 schtasks.exe 2608 schtasks.exe 2644 schtasks.exe 2820 schtasks.exe 1668 schtasks.exe 1648 schtasks.exe 2144 schtasks.exe 2412 schtasks.exe 2552 schtasks.exe 1048 schtasks.exe 1216 schtasks.exe 788 schtasks.exe 1804 schtasks.exe 2372 schtasks.exe 1468 schtasks.exe 940 schtasks.exe 860 schtasks.exe 2388 schtasks.exe 1688 schtasks.exe 1484 schtasks.exe 400 schtasks.exe 2236 schtasks.exe 2192 schtasks.exe 2152 schtasks.exe 2944 schtasks.exe 1628 schtasks.exe 2700 schtasks.exe 1720 schtasks.exe 2724 schtasks.exe 2524 schtasks.exe 2796 schtasks.exe 1036 schtasks.exe 1016 schtasks.exe 2916 schtasks.exe 2864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exepid process 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe 2808 powershell.exe 2692 powershell.exe 1572 powershell.exe 3064 powershell.exe 1608 powershell.exe 2204 powershell.exe 3060 powershell.exe 2196 powershell.exe 2740 powershell.exe 1604 powershell.exe 2396 powershell.exe 2584 powershell.exe 324 services.exe 2544 services.exe 1484 services.exe 2472 services.exe 1924 services.exe 1780 services.exe 1552 services.exe 2168 services.exe 320 services.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription pid process Token: SeDebugPrivilege 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2196 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 324 services.exe Token: SeDebugPrivilege 2544 services.exe Token: SeDebugPrivilege 1484 services.exe Token: SeDebugPrivilege 2472 services.exe Token: SeDebugPrivilege 1924 services.exe Token: SeDebugPrivilege 1780 services.exe Token: SeDebugPrivilege 1552 services.exe Token: SeDebugPrivilege 2168 services.exe Token: SeDebugPrivilege 320 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeservices.exeWScript.exeservices.exeWScript.exeservices.exeWScript.exedescription pid process target process PID 2768 wrote to memory of 2204 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2204 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2204 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2196 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2196 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2196 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2740 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2740 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2740 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2692 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2692 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2692 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2808 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2808 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2808 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1608 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1608 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1608 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1604 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1604 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1604 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1572 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1572 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 1572 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3064 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3064 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3064 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3060 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3060 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 3060 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2584 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2584 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2584 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2396 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2396 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 2396 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe powershell.exe PID 2768 wrote to memory of 324 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe services.exe PID 2768 wrote to memory of 324 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe services.exe PID 2768 wrote to memory of 324 2768 a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe services.exe PID 324 wrote to memory of 2304 324 services.exe WScript.exe PID 324 wrote to memory of 2304 324 services.exe WScript.exe PID 324 wrote to memory of 2304 324 services.exe WScript.exe PID 324 wrote to memory of 1996 324 services.exe WScript.exe PID 324 wrote to memory of 1996 324 services.exe WScript.exe PID 324 wrote to memory of 1996 324 services.exe WScript.exe PID 2304 wrote to memory of 2544 2304 WScript.exe services.exe PID 2304 wrote to memory of 2544 2304 WScript.exe services.exe PID 2304 wrote to memory of 2544 2304 WScript.exe services.exe PID 2544 wrote to memory of 2116 2544 services.exe WScript.exe PID 2544 wrote to memory of 2116 2544 services.exe WScript.exe PID 2544 wrote to memory of 2116 2544 services.exe WScript.exe PID 2544 wrote to memory of 1940 2544 services.exe WScript.exe PID 2544 wrote to memory of 1940 2544 services.exe WScript.exe PID 2544 wrote to memory of 1940 2544 services.exe WScript.exe PID 2116 wrote to memory of 1484 2116 WScript.exe services.exe PID 2116 wrote to memory of 1484 2116 WScript.exe services.exe PID 2116 wrote to memory of 1484 2116 WScript.exe services.exe PID 1484 wrote to memory of 1728 1484 services.exe WScript.exe PID 1484 wrote to memory of 1728 1484 services.exe WScript.exe PID 1484 wrote to memory of 1728 1484 services.exe WScript.exe PID 1484 wrote to memory of 2808 1484 services.exe WScript.exe PID 1484 wrote to memory of 2808 1484 services.exe WScript.exe PID 1484 wrote to memory of 2808 1484 services.exe WScript.exe PID 1728 wrote to memory of 2472 1728 WScript.exe services.exe -
System policy modification 1 TTPs 30 IoCs
Processes:
a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" services.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe"C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:324 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a3913c6-c403-4575-82cc-9efa443f58da.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2544 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\189315fe-d30f-4820-95bf-136e5099806e.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1484 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81a20895-7992-478c-a1f6-70e9c4005aa3.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2472 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254fd276-a90b-42e9-bc22-f3c0c470bddf.vbs"9⤵PID:580
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1924 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87983f1d-2c5a-4e9e-ad7a-6268d1febc9b.vbs"11⤵PID:1044
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1780 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce27bbf-81d8-413e-b18f-d55c53d4e8e1.vbs"13⤵PID:2524
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\babcc170-13ac-40bf-be35-ae34702a755e.vbs"15⤵PID:2800
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11708d4c-d3f6-420b-bf7a-5970c65c2b2e.vbs"17⤵PID:1488
-
C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exeC:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260a53a8-3477-40db-8dc1-f3b67bf62dc7.vbs"19⤵PID:2156
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a36caac-c0db-4cbd-92c7-21280f0e644a.vbs"19⤵PID:884
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f963144-2cf4-49db-b764-63b890cb9c72.vbs"17⤵PID:2092
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fa70d88-92aa-4426-9419-82f3caa590b1.vbs"15⤵PID:2672
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91bc37cd-f09e-406c-8374-a636f716fd9b.vbs"13⤵PID:1664
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44be4781-1631-444c-9f6d-682110435f04.vbs"11⤵PID:844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13381cec-12f5-4cf1-9d9e-623bc5f2328e.vbs"9⤵PID:2064
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0b48b46-92fc-4dc7-9a5f-fd0f115bd29a.vbs"7⤵PID:2808
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51f4de88-b488-468d-b114-9eb78d5769fc.vbs"5⤵PID:1940
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b770a552-b404-4c4c-b8bf-a07b02aa329d.vbs"3⤵PID:1996
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "a76c3992f0ce41945386691b991de4f0_NeikiAnalyticsa" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\a76c3992f0ce41945386691b991de4f0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\servicing\Editions\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5a76c3992f0ce41945386691b991de4f0
SHA1694416f5f2cc6579af87f08175b52f9039930972
SHA25692e319b1b62dd242ccb3feaaa29200780cc33c46a5b35a4f5723fbcd73976023
SHA5126f8e49018ca2bd9ef4f002d968903cd6e414d61afbc68e8c70f74e1c473d612ed07f25af2c129fbd59105b71c9704cbc4c4b2e1b889ef3ebb8896a64b6ba7870
-
Filesize
2.9MB
MD550200bb05eb5ce4121495f32a8ff5e3e
SHA1b507c386d869bd4b561ccf2dc56cd1bd28473ee0
SHA256e223f04b0ebfe8bbb1690d3406b9c013a81d0fd4a7860060f617ceff06a27363
SHA5126656be3d220e143974c4c2efb9768724d337ddfe711e200ead2b0873ec9d6f9028902a0afbac5b53b814822fac296490438a193ca7ce04c51897b9186ef20eb6
-
Filesize
737B
MD5ca8d1a3fc86cb97b774754dc338a9301
SHA1cd30f835411f3582554da8f823fb0fb3d6b947b6
SHA256b21280afff8e6bf0b0b4d7231127eed883f2af4ef0a33967e3c7fbceacb03f30
SHA512e548475e60f30088f237297186e5109a2f3d8f0b4b1c7577da29a609d06cc784eadf6947ac47d046fe2642ce7c90b95e8558ec412f982d53bb71d32fb76559f9
-
Filesize
737B
MD5357137808f0d53414931e7711701f07f
SHA1ffa2547d28b2acd863f6188ee7526f87cdfc2d58
SHA256cc70b61ab7f01293d8190cf81f9b1d2bafded9d0507f187c3c8df9b14c6dcc85
SHA512df6b74865f1c8d1ffec55f2a2ca9850e127ee40be7bff02cdfff4c34ff03f2e69778bccc4dd83f11db3bfbf9f39ae973bec30d5b1b3db934ea0b85c22b4ba435
-
Filesize
736B
MD5b68beb1b051f04bb69f361e278c39639
SHA13d10aeaecdc442ea4da4d8d8a89ca64e20b1b945
SHA25604e6ba9342338b03fa73e1bafedff858a57fb5a32a87437c494fbe9e1d5dc0e7
SHA5128f1b0803e2ccece947827eae237ac4e1c6d99d1f8cf39be383cdffdeef3eaa7632e20c970df91972f32d9ca25f94f20449eb88602042a8a8afd9226f0f09fadf
-
Filesize
737B
MD5453921fc64fd4b713d345cb17079da34
SHA1cacff0b65ed085d1a7bacd9027ffdc6447f6c852
SHA256ab76d934c18e05a34637f34ab8002356071c52dc4a0a0aaeb90ff2531a5e6b81
SHA51291b483734d4e7b75d16fcbaeee101cc0de3c3a2a2c5583b8dd33c4a967bd746d6871712378857a6f8ab566cf164d3f5acb27ec5fb7c707f2d664677bc29dfa28
-
Filesize
736B
MD5b550bec859709157db8847c6a8a8b4e8
SHA197e3614e614b7fa584702e7611d28fdb6526b717
SHA256cdad0a1032bf5e0409d029cda6c769848c039c5786cc79f8827afdbc65f82388
SHA512309699affb8197d7b97750fa770b2f020a7552dfae2db2208b05f4418b9b998265e285ce7c3d172aa754829c6e805a2f929c3d41113e1d92d6f90f2f8b749863
-
Filesize
737B
MD53dd8d5a612f09af9651e49f4dc63753e
SHA19361fbb7ac22ef5e8bd2f748b680f274b76cb4cf
SHA256edff42637b5453d066994447e081352b1b7a0bb9e37d04388c65b4f8d4946e99
SHA51268c46460ea18b1b711678a268e578ab9eeb20b1f5dbc23bdc6b7d9dbf7ee117909f36b0203481ef1f04a2ef772f5b90cc274f0dd6a5dcd477db967519bd4a3ff
-
Filesize
737B
MD546a3d6a02b808a3f449c0a5e7c72ac0c
SHA16b8872cd8b4124eb78ed3208c17590d4e1603a7d
SHA25656df465e4916dae7b26bf1405eba3108f655340059ff7948a3cc695388e94a29
SHA5127a7316702c70f244eb7488c773cc7df64e7b9ced7de59a03ee40ef542906fcdf69ffa33fef8fd63a4c946d0235a6b5d5dca616e092fd5e11149604cf425a05d7
-
Filesize
737B
MD5a0ae6bbae85e716c275bca0d04a843c1
SHA1175d5dcf859e86b7005a3d2017731d4755abbb94
SHA2560a3186859570147ae1e6878cc9a2c765f7469abbd4c80db7f42bbcdbc0a3a966
SHA512c3886b74bd558c23b9af989382c4b391090365ff086100a29f23a7e2572ef21068ae56837173f34ae8337c257e582f5652cb720b3cd706c1adb45cd2b375c44e
-
Filesize
513B
MD5bc8d4619fd969519a924a3cd5ea48cbd
SHA17766371d8981c1f50a9b4582dff2ac253638cf8e
SHA25649edc2f9eac211985ee409b8a07d9d8a6fa755c026842924b5fb3d0b589fd82c
SHA5123ca9366d00ec76bfbd25571013328f02d9e93d4958a1a6630ffbf419fa7225f206fc6228ec3b5f364785b90b7553b302128f2111e8b1513f0bc831b16242b1b9
-
Filesize
737B
MD58d20768946f4bbd6150f66938eeb4e49
SHA10effafddd7e357ad11725e26d9d616c8ee71d9a6
SHA25681c91ece78f828dcceb2bd1f3c23065ea6118ec3f5fe11e0e881759eca88d065
SHA51221a02412751ed811a8e486017f124db975bf0116ccada80e370270b357b3a5e302f3a78d305e89098415ccf09bac6393f1793f8d6ca1ba101bb6cd4479c3f593
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a87e3199a6d48f2f0557bc3312c9a825
SHA19905728721099bac2f8981a4fff1518f565732ea
SHA256fabf0295174f9d5592c0db1cddf112afde2b7be16855f529f6bf922ebcd9851a
SHA51238c11653369045065f4d760c9c86f2ec94f0f2cb8f89aaee3840efbb5d266dc8056f7e3a0c21f10fc8166a188a023ef03a633e2f356d29fa93145038ff6f8a58