Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 15:29
Behavioral task
behavioral1
Sample
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe
-
Size
2.9MB
-
MD5
e349210264df2c9c8513e938aa1f3940
-
SHA1
e689f7221e0954c75e760d5103723c021b82eebb
-
SHA256
4d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175
-
SHA512
93fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99
-
SSDEEP
49152:f4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:QDKmzjWnC8Wikx1DUN2/Uq
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2576 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2576 schtasks.exe -
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe -
Processes:
resource yara_rule behavioral1/memory/2872-1-0x00000000008A0000-0x0000000000B86000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe dcrat C:\Windows\Resources\csrss.exe dcrat behavioral1/memory/2920-184-0x0000000000D80000-0x0000000001066000-memory.dmp dcrat behavioral1/memory/1128-195-0x0000000001330000-0x0000000001616000-memory.dmp dcrat behavioral1/memory/1348-219-0x0000000000090000-0x0000000000376000-memory.dmp dcrat behavioral1/memory/952-231-0x0000000000BF0000-0x0000000000ED6000-memory.dmp dcrat behavioral1/memory/2724-244-0x0000000001190000-0x0000000001476000-memory.dmp dcrat behavioral1/memory/2548-267-0x00000000000E0000-0x00000000003C6000-memory.dmp dcrat behavioral1/memory/3000-279-0x00000000000F0000-0x00000000003D6000-memory.dmp dcrat behavioral1/memory/2988-291-0x0000000000110000-0x00000000003F6000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1484 powershell.exe 924 powershell.exe 1656 powershell.exe 1780 powershell.exe 836 powershell.exe 1072 powershell.exe 468 powershell.exe 1808 powershell.exe 1608 powershell.exe 3016 powershell.exe 760 powershell.exe 1280 powershell.exe -
Executes dropped EXE 11 IoCs
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exepid process 2920 audiodg.exe 1128 audiodg.exe 892 audiodg.exe 1348 audiodg.exe 952 audiodg.exe 2724 audiodg.exe 1380 audiodg.exe 2548 audiodg.exe 3000 audiodg.exe 2988 audiodg.exe 1748 audiodg.exe -
Processes:
audiodg.exeaudiodg.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe -
Drops file in Program Files directory 8 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Mail\es-ES\b75386f1303e64 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\it-IT\RCX379C.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Mail\it-IT\services.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\RCX3C7E.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\it-IT\services.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files\Windows Mail\it-IT\c5b4cb5e9653cc e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe -
Drops file in Windows directory 8 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exedescription ioc process File created C:\Windows\Resources\886983d96e3d3e e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\RCX2D1C.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\Vss\Writers\Idle.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\RCX3327.tmp e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File opened for modification C:\Windows\Resources\csrss.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Windows\Vss\Writers\Idle.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Windows\Vss\Writers\6ccacd8608530f e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe File created C:\Windows\Resources\csrss.exe e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2580 schtasks.exe 2432 schtasks.exe 2540 schtasks.exe 2336 schtasks.exe 1224 schtasks.exe 2020 schtasks.exe 2680 schtasks.exe 2292 schtasks.exe 2308 schtasks.exe 2404 schtasks.exe 2648 schtasks.exe 3004 schtasks.exe 764 schtasks.exe 2656 schtasks.exe 1804 schtasks.exe 2768 schtasks.exe 2904 schtasks.exe 1332 schtasks.exe 2920 schtasks.exe 2488 schtasks.exe 2284 schtasks.exe 1936 schtasks.exe 2392 schtasks.exe 2340 schtasks.exe 3024 schtasks.exe 2740 schtasks.exe 1776 schtasks.exe 1580 schtasks.exe 1568 schtasks.exe 1628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exepid process 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe 1484 powershell.exe 1280 powershell.exe 924 powershell.exe 468 powershell.exe 1072 powershell.exe 836 powershell.exe 1656 powershell.exe 3016 powershell.exe 1608 powershell.exe 760 powershell.exe 1808 powershell.exe 1780 powershell.exe 2920 audiodg.exe 1128 audiodg.exe 892 audiodg.exe 1348 audiodg.exe 952 audiodg.exe 2724 audiodg.exe 1380 audiodg.exe 2548 audiodg.exe 3000 audiodg.exe 2988 audiodg.exe 1748 audiodg.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription pid process Token: SeDebugPrivilege 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 468 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeDebugPrivilege 2920 audiodg.exe Token: SeDebugPrivilege 1128 audiodg.exe Token: SeDebugPrivilege 892 audiodg.exe Token: SeDebugPrivilege 1348 audiodg.exe Token: SeDebugPrivilege 952 audiodg.exe Token: SeDebugPrivilege 2724 audiodg.exe Token: SeDebugPrivilege 1380 audiodg.exe Token: SeDebugPrivilege 2548 audiodg.exe Token: SeDebugPrivilege 3000 audiodg.exe Token: SeDebugPrivilege 2988 audiodg.exe Token: SeDebugPrivilege 1748 audiodg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.execmd.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exedescription pid process target process PID 2872 wrote to memory of 1484 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1484 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1484 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1808 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1808 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1808 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1608 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1608 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1608 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 924 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 924 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 924 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1656 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1656 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1656 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1780 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1780 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1780 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 3016 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 3016 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 3016 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1280 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1280 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1280 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 468 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 468 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 468 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 760 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 760 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 760 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 836 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 836 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 836 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1072 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1072 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1072 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe powershell.exe PID 2872 wrote to memory of 1724 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 1724 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe cmd.exe PID 2872 wrote to memory of 1724 2872 e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe cmd.exe PID 1724 wrote to memory of 2880 1724 cmd.exe w32tm.exe PID 1724 wrote to memory of 2880 1724 cmd.exe w32tm.exe PID 1724 wrote to memory of 2880 1724 cmd.exe w32tm.exe PID 1724 wrote to memory of 2920 1724 cmd.exe audiodg.exe PID 1724 wrote to memory of 2920 1724 cmd.exe audiodg.exe PID 1724 wrote to memory of 2920 1724 cmd.exe audiodg.exe PID 2920 wrote to memory of 2836 2920 audiodg.exe WScript.exe PID 2920 wrote to memory of 2836 2920 audiodg.exe WScript.exe PID 2920 wrote to memory of 2836 2920 audiodg.exe WScript.exe PID 2920 wrote to memory of 376 2920 audiodg.exe WScript.exe PID 2920 wrote to memory of 376 2920 audiodg.exe WScript.exe PID 2920 wrote to memory of 376 2920 audiodg.exe WScript.exe PID 2836 wrote to memory of 1128 2836 WScript.exe audiodg.exe PID 2836 wrote to memory of 1128 2836 WScript.exe audiodg.exe PID 2836 wrote to memory of 1128 2836 WScript.exe audiodg.exe PID 1128 wrote to memory of 2088 1128 audiodg.exe WScript.exe PID 1128 wrote to memory of 2088 1128 audiodg.exe WScript.exe PID 1128 wrote to memory of 2088 1128 audiodg.exe WScript.exe PID 1128 wrote to memory of 2124 1128 audiodg.exe WScript.exe PID 1128 wrote to memory of 2124 1128 audiodg.exe WScript.exe PID 1128 wrote to memory of 2124 1128 audiodg.exe WScript.exe PID 2088 wrote to memory of 892 2088 WScript.exe audiodg.exe PID 2088 wrote to memory of 892 2088 WScript.exe audiodg.exe PID 2088 wrote to memory of 892 2088 WScript.exe audiodg.exe PID 892 wrote to memory of 1288 892 audiodg.exe WScript.exe -
System policy modification 1 TTPs 36 IoCs
Processes:
audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exee349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" audiodg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e349210264df2c9c8513e938aa1f3940_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5aHV7JTKGb.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2880
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe"C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88d6643c-1c32-4cb2-ac5c-835ca516018b.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c5f9120-874d-4592-adf9-28dad0f4f728.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:892 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0691a621-351c-4329-a175-6ff3e0e6cb75.vbs"8⤵PID:1288
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1348 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c75006b-6bf2-4c39-af40-b75eedf8863f.vbs"10⤵PID:1604
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:952 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d777272d-2e32-4c3b-9479-5c54a82d058b.vbs"12⤵PID:1840
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2724 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d98a413e-6e9e-4ac8-8e39-c09a15ff1e0f.vbs"14⤵PID:2188
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1380 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e9956a-823e-4fc7-83e6-650a72d7fe55.vbs"16⤵PID:2624
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2548 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac724b0-6d26-4e2c-803d-fee9a339a226.vbs"18⤵PID:2792
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eea7e8ad-dafe-4f5a-9f3a-35850fda8351.vbs"20⤵PID:1640
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a057145-b7a3-4298-80db-9d12830dc7ee.vbs"22⤵PID:1784
-
C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exeC:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1748 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86025ee7-4dbd-4f75-97d9-29c9e6a7b805.vbs"22⤵PID:1948
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\200553f5-2a17-483c-944b-6ff2508c20f5.vbs"20⤵PID:536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89c1fea0-d71b-451d-b12c-0666a8631601.vbs"18⤵PID:644
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e38331-93bc-4af7-b358-256bae17fe6c.vbs"16⤵PID:1564
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5fe9278-9572-4cc6-af15-4dad7e18ec63.vbs"14⤵PID:2352
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c87b5ce9-93e3-4e6a-8f21-c873a246ef5e.vbs"12⤵PID:1560
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5be379ca-007c-48fb-b870-5b7d2be66120.vbs"10⤵PID:2148
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c15762-b7f4-4b15-be67-bdecf9b519d5.vbs"8⤵PID:872
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d8aa18-d177-4acc-9eac-4f14cac5a3a7.vbs"6⤵PID:2124
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91a01db5-f4c4-4eb2-814d-3764b79dcf51.vbs"4⤵PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e349210264df2c9c8513e938aa1f3940
SHA1e689f7221e0954c75e760d5103723c021b82eebb
SHA2564d520afba4c682d393f2979de1abea0e96ec9f84f2b1d0164b57eea4eea15175
SHA51293fb466f6a853c227ebf88ed5586d509e4982f6b0c6e6dce7343c38e887a5c5e5f9b3484d70c7d64b3bdff50a2a93bb73ce7e6a4f6eb4ee8960052248db08b99
-
Filesize
735B
MD5ae55e56d74343b28ed5c5a57f8c59dcf
SHA14b311279fc5f5a89295fec16718ac286a712719a
SHA256d72506ab3a8d09edfad22e5c74966c7a0056ebb1e4f4d873fc6d16e621478502
SHA5129d2913c518d2c075ef0bd9bc383c538076a7bfc28257596655fb1f084292b5d6cacf85d567f9607bb5f800d547be5cdd22886260839a6df022d4e9a94beeaa39
-
Filesize
736B
MD59892efb9aac788bfc2be912e35b34a3a
SHA1e4d03117331b725d46e70f68a40c688f161a29da
SHA25651f8b6b7416037646748ec44eadf00dfedf0f6299b0ee809f2f191329b0e780e
SHA51233d799664ac0e0b6b799f1e755c09d6a83fe7378f1e94abcf88f76c7e27e29ffe93cf930509abc9e072b3f27d05255f8beba1e1a1f8e5cdad908adaea40da7c9
-
Filesize
736B
MD5767097a56fb53c8bd7c82c81ecadf80c
SHA1b1c46b104479e1624fc722c72d4d61eac5414042
SHA25638f2a229dc9a36a017804d7048d75c912cf7f15f80658d2c69681782014874ef
SHA512c0ad1b9a094310ffe3524ab01451c747eb17b607420ed60f4b708a03ab94a8f573f52f9b4745b34352d558dc292c785188c7d7b5bedf0bcf8f11370d88d88abe
-
Filesize
225B
MD508ca394f19216c4072e53eb9bfe4b206
SHA188db3ce7a2b632791e3e2e5383123735d2df7c33
SHA256c7b3c9421de28399ac365496ab4bc5ccfeddc670eeaa5b3c5017526453fd6306
SHA51269c726cab8843d9a6161646376c2a051399574c88c5a3dd3849f577e23bcd6eef1756342f7eec62940b3e2282f49348d01c5756973b167f7dfed97ed0dd4e36c
-
Filesize
736B
MD5d727d46a2792a7cbdac8d69bce2c93be
SHA115108b49429efe4b21b33ce23622bd57f70561db
SHA256b175f49088d915951258badd4ea30e3f810179ab119e0a955c43bdb560e55844
SHA5124b0261e9f619837439c556b85aad825a5f2346aa1b741840045f231b4ee3f55e173eabd74978e4b24c60674104d2899cc6f11f3958ecd29233c3d4701bbaee12
-
Filesize
736B
MD598ccd5bab3ad4e25b8c60db7dc3d68eb
SHA16200c6b686a32ae40e8c0038bca0bd597adfae25
SHA25656e7344230028884641f23dca3d289c5658b9078c3133b5dced372ce853528d9
SHA512e8c8052eeba3ae0a98a3ab81a25c48756e82250aceacb8cc63b8f5f9e655a5d846d1ff98b9e458cd9d4095f6522cdb298bb9b44b0732748ac65d32b07b167a9d
-
Filesize
736B
MD55f1da4466d26e59e6fd6f182ab8575c3
SHA17f77ff9ebbeff22d7cda63ca304282c28678a7c2
SHA2563b4cb4a90c6c89ca58c966a7f0b8b5a13218ca0c970aec3dea2cc00942bcd24a
SHA512e1362fad0b9d2dd0c9f9f0bd69b35608891df562d420267d298a68b0ef685bec5b9b76883b20e026dcf6cf0e1b837a63051fbf877aac3deb9b21084a1e92366f
-
Filesize
512B
MD51ab79a3abbdb0a16f048f0dbfdc3df8c
SHA1ed0ad2389a4f19c81b1a576393d38909217753fa
SHA256782662a94ee2807770376c09a058efb40be59a7f7fa134c6d3d74ba32c21db06
SHA5125ff33b05d55dab21e737692dd0285ccb595a735511723dec61a134ded904c9adc08ae9aa655641f911c2e57ca3e1f9dffc1fd0a22fb371e3875ddcf1e131b931
-
Filesize
736B
MD5d524d0d59de7558afb656aafe6ed0336
SHA123b820e3d30c6d872e893648079ec7fcc21c838d
SHA256b3bbba763cd17a5c3a2112dc61a0024973dd2ea789e12bc457acadfd25530acd
SHA5127c90f6611f5fd4a95502f05949f49cf3143b333d0798aa45003043e37b4b4fffdfac87df4f1a690289b6f6c8d2f6df3923ac8b35fd64950a8e4f3cc541b4e2c0
-
Filesize
735B
MD581e565bfcf432f83b4b5823a98cb522c
SHA1a8f0460c7514243b0b157dcaf8cabf0bca7592b7
SHA2567b2f236f13b78e3cb07d404efab5163f4234b5cb3ac9288bcc4af5c0036a9927
SHA51233cb99e5b087bbfa6871e7a99420b7a588ed5dc23dd22184731f9760b7c7ad361adf4297b2877d5c911aacc3783ac1d8c3942844c7ff7229f210dafec0b10acf
-
Filesize
736B
MD5d59c51b0fecd913e4c9f43ff46002fdc
SHA1abaa3d041bfe582f967a644e7cffb159961225d8
SHA256b40ad32fc79fed0d975c94ac93678b6cd752d2dc40a20cf003543ba8601017ca
SHA5120548aaf9c0f3b05f1f30f29d00905dbaca513aa4fc3809b4ade4be2b61734eb214ef4b705676cc86b709a5d8490c6ef1ca89cb5c4c09bdcdfe047a65178cea03
-
Filesize
736B
MD547b74c448fb3e6b4495b8f0583de62c3
SHA17e78213c03db78aad93d8d6c5fdbbd8ce3152d86
SHA256745bf75519064ddbc0e6d97b162ca8e4dbdc2e46cfb06b42a96b361fe9280517
SHA5129dc130bb31825f8f2c53aef67f3eba0b10ef1169b737a544db1e48754d3bc27f6d5e73ffe340589f9c6e53559a5c3c37e35da7d9d8dd9f985d644afea713c229
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ca2b20db3ee39ff237186048ba77e8df
SHA1408480acaea807a294c0937355205f565e83e860
SHA25682794cae42f2af66c6cc110553a08e14289de93fb03d67d8163822ea39ef9dba
SHA5128197bf3c2b13e2d2800aa184a02207b34f70df7cbcbbd8dc975ea01aaa9aaba1e599f06f7addf86faed357a1917272a8d4ab2fb28406ea1c58b8d7832f9de1d9
-
Filesize
2.9MB
MD5aca376d1fbbdae37ac12118021977309
SHA1a582a859522127e76a84c662eb45f2e183ae9a2a
SHA2566b3049abaf104e0347b315c6aaf50b806afc2d6f3fd8874df9bda232397cf5a0
SHA512e23eeb47146cf2ecf66953e13d20e87c638e6115a2d41ebfecc2cecbc207ae5fbe1b70f9d2e039005988d1cf875216e63b2d64dec0adf7086e9c23886ab4743f