b186f549a48bf83d51b27e3ca265d31f6a46a4e1d91a0cac0b5bc867c06e39bb

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Size

191KB
MD5

2fe1f7f7483896f0544b19dfe7969490
SHA1

a2e8211d41017453a6e7623af36d26019692d402
SHA256

b186f549a48bf83d51b27e3ca265d31f6a46a4e1d91a0cac0b5bc867c06e39bb
SHA512

e23f44e8b6f73f0acbe86b87039c8ef86bb118d7ca3402f4494ace74d520c5ffc9de3059f9494e324cac980b3162f87cdce6dbae2dc38044475cdacecb2b85cb
SSDEEP

3072:2AKEsYqqjfipJWYpWJZfGXFxUYyaJC6sOMD5Qjj9jRMKSlJ8subptbbG+X:NKE+qjfipJWYpWJZfGXFRJJRsOM9+j5L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
876	cwrss.exe
1636	cwrss.exe
1956	cwrss.exe
1984	cwrss.exe
1164	cwrss.exe

Loads dropped DLL 9 IoCs

pid	Process
2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
1636	cwrss.exe
1956	cwrss.exe
1956	cwrss.exe
876	cwrss.exe
876	cwrss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	cwrss.exe
File opened (read-only)	\??\J:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\S:	cwrss.exe
File opened (read-only)	\??\K:	cwrss.exe
File opened (read-only)	\??\H:	cwrss.exe
File opened (read-only)	\??\S:	cwrss.exe
File opened (read-only)	\??\G:	cwrss.exe
File opened (read-only)	\??\Q:	cwrss.exe
File opened (read-only)	\??\N:	cwrss.exe
File opened (read-only)	\??\A:	cwrss.exe
File opened (read-only)	\??\Q:	cwrss.exe
File opened (read-only)	\??\I:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\N:	cwrss.exe
File opened (read-only)	\??\P:	cwrss.exe
File opened (read-only)	\??\p:	cwrss.exe
File opened (read-only)	\??\O:	cwrss.exe
File opened (read-only)	\??\O:	cwrss.exe
File opened (read-only)	\??\W:	cwrss.exe
File opened (read-only)	\??\X:	cwrss.exe
File opened (read-only)	\??\B:	cwrss.exe
File opened (read-only)	\??\X:	cwrss.exe
File opened (read-only)	\??\z:	cwrss.exe
File opened (read-only)	\??\H:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\N:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	cwrss.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\M:	cwrss.exe
File opened (read-only)	\??\P:	cwrss.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\I:	cwrss.exe
File opened (read-only)	\??\Y:	cwrss.exe
File opened (read-only)	\??\S:	cwrss.exe
File opened (read-only)	\??\P:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\B:	cwrss.exe
File opened (read-only)	\??\G:	cwrss.exe
File opened (read-only)	\??\M:	cwrss.exe
File opened (read-only)	\??\R:	cwrss.exe
File opened (read-only)	\??\O:	cwrss.exe
File opened (read-only)	\??\a:	cwrss.exe
File opened (read-only)	\??\r:	cwrss.exe
File opened (read-only)	\??\N:	cwrss.exe
File opened (read-only)	\??\X:	cwrss.exe
File opened (read-only)	\??\J:	cwrss.exe
File opened (read-only)	\??\o:	cwrss.exe
File opened (read-only)	\??\E:	cwrss.exe
File opened (read-only)	\??\J:	cwrss.exe
File opened (read-only)	\??\i:	cwrss.exe
File opened (read-only)	\??\R:	cwrss.exe
File opened (read-only)	\??\P:	cwrss.exe
File opened (read-only)	\??\Z:	cwrss.exe
File opened (read-only)	\??\j:	cwrss.exe
File opened (read-only)	\??\k:	cwrss.exe
File opened (read-only)	\??\W:	cwrss.exe
File opened (read-only)	\??\G:	cwrss.exe
File opened (read-only)	\??\R:	cwrss.exe
File opened (read-only)	\??\v:	cwrss.exe
File opened (read-only)	\??\H:	cwrss.exe
File opened (read-only)	\??\n:	cwrss.exe
File opened (read-only)	\??\B:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\V:	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
File opened (read-only)	\??\W:	cwrss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	icanhazip.com

Maps connected drives based on registry 3 TTPs 12 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	cwrss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cwrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\Content-Type = "application/x-msdownload"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\runas\command	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\Content-Type = "application/x-msdownload"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\DefaultIcon	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\DefaultIcon\ = "%1"	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\shell\runas\command	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1"	cwrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open	cwrss.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\shell\open	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\ = "Application"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UserRuntime\\cwrss.exe\" 1 /START \"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\ = "Application"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon\ = "%1"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\open\command	cwrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UserRuntime\\cwrss.exe\" 1 /START \"%1\" %*"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\runas	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "dcore"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\ = "Application"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\DefaultIcon	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\ = "Application"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\runas\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\DefaultIcon\ = "%1"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\runas\command	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\shell	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\shell\open\command	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command	cwrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sppsrv\DefaultIcon\ = "%1"	cwrss.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\ = "dcore"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\ = "\"C:\\ProgramData\\UserRuntime\\cwrss.exe\" /START \"%1\" %*"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\UserRuntime\\cwrss.exe\" 1 /START \"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "sppsrv"	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.exe\DefaultIcon	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\open\command\IsolatedCommand = "\"%1\" %*"	cwrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\dcore\shell\runas\command\ = "\"%1\" %*"	cwrss.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1164	cwrss.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1636	cwrss.exe
Token: SeIncBasePriorityPrivilege	1956	cwrss.exe
Token: SeIncBasePriorityPrivilege	876	cwrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1164	cwrss.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 876	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	30
PID 2228 wrote to memory of 876	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	30
PID 2228 wrote to memory of 876	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	30
PID 2228 wrote to memory of 876	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	30
PID 2228 wrote to memory of 1636	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	31
PID 2228 wrote to memory of 1636	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	31
PID 2228 wrote to memory of 1636	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	31
PID 2228 wrote to memory of 1636	2228	2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe	31
PID 1636 wrote to memory of 1956	1636	cwrss.exe	32
PID 1636 wrote to memory of 1956	1636	cwrss.exe	32
PID 1636 wrote to memory of 1956	1636	cwrss.exe	32
PID 1636 wrote to memory of 1956	1636	cwrss.exe	32
PID 1956 wrote to memory of 1984	1956	cwrss.exe	33
PID 1956 wrote to memory of 1984	1956	cwrss.exe	33
PID 1956 wrote to memory of 1984	1956	cwrss.exe	33
PID 1956 wrote to memory of 1984	1956	cwrss.exe	33
PID 876 wrote to memory of 1164	876	cwrss.exe	34
PID 876 wrote to memory of 1164	876	cwrss.exe	34
PID 876 wrote to memory of 1164	876	cwrss.exe	34
PID 876 wrote to memory of 1164	876	cwrss.exe	34

C:\Users\Admin\AppData\Local\Temp\2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2fe1f7f7483896f0544b19dfe7969490_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\ProgramData\UserRuntime\cwrss.exe
  "C:\ProgramData\UserRuntime\cwrss.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe
    "C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1164
- C:\ProgramData\UserRuntime\cwrss.exe
  "C:\ProgramData\UserRuntime\cwrss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\ProgramData\UserRuntime\cwrss.exe
    "C:\ProgramData\UserRuntime\cwrss.exe" 1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe
      "C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe" 1
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UserRuntime\cwrss.exe

Filesize
191KB

MD5
2a16afe9499b50f75b3968e77653945d

SHA1
1501ca113f6330b321b64f40916ff8c9f16677e5

SHA256
7528a744c62fc3952a08cb41b89a64e523d3c6ced3a6796fc75fc0e9b02ba3f1

SHA512
ad91f19f97b49a26b10afdbe3664e3ce9097f235f3b13f9ee9971ddf14627ba7ed7aac806186329a5d188a87e438e1826966bb3ee70de03ea1f1d6c5bc85b4b1

Download Submit
C:\Users\Admin\AppData\Roaming\UserRuntime\cwrss.exe

Filesize
191KB

MD5
9f3f7b63f4f2c0705c4a4d5e947b1867

SHA1
f30cec51afd35730e56306a575f16ca71e9e9f1b

SHA256
39d48da70b94df76e72a55af1a6d31a783f523f78fca2968b63feeb5abe167a4

SHA512
84ac237e3c7cc8827bbc7abb1faaf28cde1ebaa9256d8a9f957c76e8c500648a88dc2e8eee04f729df7b5f2f1f75154915ff4c8f8e4fd2b523bf3cb34639c631

Download Submit