Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe
-
Size
6.6MB
-
MD5
b0ba826970a10449ffd0b343b4e80320
-
SHA1
97745a1c361394ae11902e6fdba35d40af8a83ec
-
SHA256
4b03baf5500aa7c4b77e4a75604a21687e4466d40fd16afe690edb9ef75a5a74
-
SHA512
c005382ffe77024b206b113d7785b518ac127a6900edbb587a9f07f791d63d34911107e61982a243b5922657a61243201633677af8b0393ace64f1c3278b77f8
-
SSDEEP
196608:gLFYEg07NIakUbY6ZQXsVkESEJJEkgls8s4kgXtD:gJFg07aaR3Q5ULEkglpFkA
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2640-19-0x000001B553680000-0x000001B553E2E000-memory.dmp family_quasar -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 15 IoCs
Processes:
svchost.exesvchost.exesvchost.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Drops file in Windows directory 15 IoCs
Processes:
svchost.exesvchost.exeTrustedInstaller.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00012.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File created C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exemousocoreworker.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
wmiprvse.exemousocoreworker.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
mousocoreworker.exesvchost.exeOfficeClickToRun.exeWaaSMedicAgent.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716180469" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00DBE62A04D = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000b460ddc91a56754c908534f98c11faec00000000020000000000106600000001000020000000b9fa828a0853443d5c56bbef3da6b254c63e2bedf98cc68b74daee7b51c0533d000000000e80000000020000200000008684119353ed528899559a5488395fe4067d3f1da15c253a8ff97380cb13af2680000000286981d3a90ec8f61f9ef5e0d0e75356df74ae043dd161117157bb6159c2beed664bdfc7264b7ad268095795820dc9ff7ac2b23c313a48c53672c8f0449cfc1c2323b9ed5f97494e84519d3224906d7ae4ed16163d1cc05da126f50d75a393eff480597156d6753454c0f863a674aee5cb39280b9255719bb76c9833579f623e400000009b996dd3bc4c021e11aded840683fa7e3bbcf074427548ca5f1269ecbf163f4d2f01adddc54409a953ae3becff3e80b63c451190d825b0766f336a32abd5b649 mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018C00DBE62A04D" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C00DBE62A04D" mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000b460ddc91a56754c908534f98c11faec00000000020000000000106600000001000020000000c95061736b9db48cf54d5b33b034bb79d9538e950b9d1235ad55b8a9d312fa08000000000e8000000002000020000000128cf16491dd390cc477d9ccdc23db84bef41d09264934fc453aeec214059917b00300007727d8267e34d51dfb04e6157a8fa3abd50d25af8591ab2101c60dfd817fd7a679dc33ad280ba6ee4a107bc69e51c5886feb621a12144450616288d834ba9f635ed29be57d17fddf63e7b7bcf22cd338e9c27c116b81670654d54c6f898a064e23cc5cd4080da5c4d0020966986ee351cc27793b1ea61b51fcabd0c3b467c877abe20d4d1106b2f57c57bb69aa31ed9ce3377fa13c6c05bf0bc720d51fe3493aa84813b35471c4b07f6c558157ee8a375dd4bf745bdbd0c1e4c5f4165bd06798b78cfd94db376ab25fbcc8c64b48d651724f2234accddb1fc1ac17d026676d63c392bc88e29cbed1c93149c8d7be868caa37a0a3aa3ca188f7f82935675b539d792b91cb320afa9f01860066b1d13b57753e7316c1269aab79752bf6c03a251072d510e73f18202621d59d22dbb5f94836602441c8132d01bc74ad4f484de3b88b86dfcaf6c2756e1f0dc55d53fe64c33f6a67f94c11288920aa28cbbe0ad56aa2c6630936e3e84dc02785097485e0b6c8be8eeae662489bf4abefc8c01a59d91fc5f10e9cd4f9a7f743dadfd34566f3d336cc16f9b8064e261154ee355cdf473d7d54d073edacad5374b8c29154c0e452b9571ab1a85d4e8fb060a5cab24b42c7af6d661efe4c556661d3b64fc3503c698e8088cbf735ddecbf14f77898b4bfc1be61ed876464456452c8233be0159d6088367c6ece0633ed131020b37e5379d68b00f863334ca5f248e482d7db49e2ff1c3b4a45e3929dbdc484d202c43dff0fd5391ffa5da35d02582280573be5ce497588a369d0c92af480b05ec3f078818723a3de16e6b42301348b00b0fbde4d9171017ba2dc3ee36100b70465ed605bd20fc8cc6154ab54b2d3e21cdb80781e7d85d594b271825a47cd954119daf03c6ca5877be9612aa5d14b8227ef9713e9bad0effc4456ca5eee6e5296734b5c13afa947f67bba611c99a49fa7133f58662d98e1644815bed48da3fa0080ec9c47b89bbb16d5411d9437e21ffc0af32ac3247e1358565574e19438f07c4f34006c32b36226de97a5ffb733eccd86ca36f565cbb896cee90fc19aa7b3051fe68a908f9432ff54ca57b624271f04b01e2307793610eeca9e97d2f8962b56c3bed891f6e60a29f90c2b84e15393d55e6a224ccde1a906c25e90d7b0752d125926446fcc70aef43a8994f43b03b52bb9de51a9a05a9d7c574501289a4a08227bc625595a51f5a5860eebcfc25a0a2f49a21b4d382b1ef27987891f94c49d3bd863bbae50318d509d79ae336e5433f6bdd64d610761b5e4bc51e7d7ea59a8dde486aa1db28ea4451dcdda9f826661e66d0539b240000000f7ee3be507394fc50b9c6df8d7f99b2b73d9ca72dac93c35cd80a7e42a663147f29846de0a11770623d5148d8fc13fb3914ca2921c7459d88381ab6e81e4e798 mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exepid process 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exeExplorer.EXEsvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe Token: SeDebugPrivilege 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe Token: SeDebugPrivilege 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE Token: SeShutdownPrivilege 2132 svchost.exe Token: SeCreatePagefilePrivilege 2132 svchost.exe Token: SeShutdownPrivilege 2132 svchost.exe Token: SeCreatePagefilePrivilege 2132 svchost.exe Token: SeShutdownPrivilege 2132 svchost.exe Token: SeCreatePagefilePrivilege 2132 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1572 svchost.exe Token: SeIncreaseQuotaPrivilege 1572 svchost.exe Token: SeSecurityPrivilege 1572 svchost.exe Token: SeTakeOwnershipPrivilege 1572 svchost.exe Token: SeLoadDriverPrivilege 1572 svchost.exe Token: SeBackupPrivilege 1572 svchost.exe Token: SeRestorePrivilege 1572 svchost.exe Token: SeShutdownPrivilege 1572 svchost.exe Token: SeSystemEnvironmentPrivilege 1572 svchost.exe Token: SeManageVolumePrivilege 1572 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1572 svchost.exe Token: SeIncreaseQuotaPrivilege 1572 svchost.exe Token: SeSecurityPrivilege 1572 svchost.exe Token: SeTakeOwnershipPrivilege 1572 svchost.exe Token: SeLoadDriverPrivilege 1572 svchost.exe Token: SeSystemtimePrivilege 1572 svchost.exe Token: SeBackupPrivilege 1572 svchost.exe Token: SeRestorePrivilege 1572 svchost.exe Token: SeShutdownPrivilege 1572 svchost.exe Token: SeSystemEnvironmentPrivilege 1572 svchost.exe Token: SeUndockPrivilege 1572 svchost.exe Token: SeManageVolumePrivilege 1572 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1572 svchost.exe Token: SeIncreaseQuotaPrivilege 1572 svchost.exe Token: SeSecurityPrivilege 1572 svchost.exe Token: SeTakeOwnershipPrivilege 1572 svchost.exe Token: SeLoadDriverPrivilege 1572 svchost.exe Token: SeSystemtimePrivilege 1572 svchost.exe Token: SeBackupPrivilege 1572 svchost.exe Token: SeRestorePrivilege 1572 svchost.exe Token: SeShutdownPrivilege 1572 svchost.exe Token: SeSystemEnvironmentPrivilege 1572 svchost.exe Token: SeUndockPrivilege 1572 svchost.exe Token: SeManageVolumePrivilege 1572 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1572 svchost.exe Token: SeIncreaseQuotaPrivilege 1572 svchost.exe Token: SeSecurityPrivilege 1572 svchost.exe Token: SeTakeOwnershipPrivilege 1572 svchost.exe Token: SeLoadDriverPrivilege 1572 svchost.exe Token: SeSystemtimePrivilege 1572 svchost.exe Token: SeBackupPrivilege 1572 svchost.exe Token: SeRestorePrivilege 1572 svchost.exe Token: SeShutdownPrivilege 1572 svchost.exe Token: SeSystemEnvironmentPrivilege 1572 svchost.exe Token: SeUndockPrivilege 1572 svchost.exe Token: SeManageVolumePrivilege 1572 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1572 svchost.exe Token: SeIncreaseQuotaPrivilege 1572 svchost.exe Token: SeSecurityPrivilege 1572 svchost.exe Token: SeTakeOwnershipPrivilege 1572 svchost.exe Token: SeLoadDriverPrivilege 1572 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3532 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exedescription pid process target process PID 2640 wrote to memory of 664 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe lsass.exe PID 2640 wrote to memory of 664 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe lsass.exe PID 2640 wrote to memory of 948 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 948 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 388 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 388 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 860 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 860 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1112 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1112 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1124 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1124 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1140 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1140 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1216 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1216 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1244 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1244 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1328 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1328 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1340 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1340 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1368 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1368 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1436 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1436 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1528 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1528 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1540 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1540 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1672 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1672 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1680 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1680 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1740 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1740 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1772 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1772 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1864 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1864 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1948 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1948 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1976 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1976 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1416 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1416 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1412 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1412 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1572 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 1572 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2112 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe spoolsv.exe PID 2640 wrote to memory of 2112 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe spoolsv.exe PID 2640 wrote to memory of 2224 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2224 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2404 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2404 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2488 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2488 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2496 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2496 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2668 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2668 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe svchost.exe PID 2640 wrote to memory of 2712 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe sysmon.exe PID 2640 wrote to memory of 2712 2640 b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b0ba826970a10449ffd0b343b4e80320_NeikiAnalytics.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe ae9bda162ba81e7da19f525409c3e829 WshumQquLUK58sQDcUtmFw.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2132 -s 6602⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C97.tmp.csvFilesize
38KB
MD5d163b4d0f8bc9f9c7aa1e4b1a07f580f
SHA13d068c07384d829e2d6586fb3f35c8bdb04891f0
SHA2566ffb8211d6da58b9cd5e275f89e442bea97cc9bb013541e95b8fdf6fe39549fa
SHA512e7a47afe2b8ce655f4ccc24a77d2935622a3b20f712f8efb66224d1d286d73d59d6bf8d7b90494ab57b3c74356f1184b423c396fd77a0c937492835bbb156c7a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CA8.tmp.txtFilesize
13KB
MD5d35541c289d2090354fe88767b00f17c
SHA1f9e90de9e75d0711d0cb5bd7ca1ad830e575930c
SHA256e6d44fa8f45df427488d0197f8c0f17c441a12f8736c626c75214d540d2ca7ab
SHA5128123f6193859de7d983f0d7306dd63ea20d300704df1d3deeffc3e11f537e94214773ed10b25b4a1d102d2aa1b199edd4a13be143335ac3c92d9a890608784c3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD560cb00866928055691d6d41fd7c2f05c
SHA17a87d97fce725148196cdc9529f46abf1dabf7a1
SHA2561be70e355b673b31fd2635fa46075ca525799c3c6c54a89d3f4a6380ab1eeb60
SHA512265ad709f23b85d9da8873ec297f9d142220bcc0214c8c17257730caa0eda2a36539f83a8ef4a323829a01fc71b72e66a3c0ce68fb0507080f58877793cf5f45
-
C:\Windows\SoftwareDistribution\DataStore\DataStore.edbFilesize
16.5MB
MD557074745e465e20c64b2f8d4847afcfe
SHA146361fcbb9b3671669c56203578105740839141c
SHA2561358d0b91351a94e1c1e6a7c9a9a5056362934f17fbb17dc660677ab72ee5c49
SHA51215cd4774d84d2a77927d2ffa84d84d05f70336e103c8f492051895cd2cf339ce0166fd4f0bd6325ed7361cf0cd7c7ad261c6061de553d45397a4db2438bd00c8
-
C:\Windows\SoftwareDistribution\DataStore\DataStore.jfmFilesize
16KB
MD565747ae02a12f4c867d537a49855119b
SHA1260cbebfc42eb1ad158c0b9dd0803e1de2d4d54a
SHA256c15ce053ebad841631b490c3cf8d4d850398bd2d81c87e921543233ffc4d89be
SHA5120170f2f13b1711a3da41a0f60851f0f9b7ffe2bc12d709d8741101f5c5776e0ff61fc55c356668951cf4c664e26bb4408534cf919c69a257aef4062f51f4e7fc
-
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.logFilesize
1.2MB
MD5b0cf5d8b57668af7750a4c6496adcc0e
SHA10c9670dba6396946fd3a0bb5c9f5d243f3253cd6
SHA256c85966699d298671d1af1f877b96603b13dc0df5a735c7673aa3767b972e3b08
SHA5127230c8e3a8a09dc6c26333d370780ed0ad07c5511091f43040268e3e79cefda66545244781b3506569a7c3fed47a84a47c6164474e36ab9c411346d4056796a1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\WindowsUpdate.logFilesize
276B
MD52cc83d93dd1dde691158cf5e9882420b
SHA149bfdc6e1e73e09a0dec345ca15b72d167add3b6
SHA256455ec4f5b15557762b893388b591ca9f3e822675ab94fc6664aa4ec8c41cb295
SHA512e67f883a016b7a410f4461492bce124421bddccf4544322b9a460a56df469170b2323fd0325e2cf928193fb6a1323c31cb0d464097f25d2f9b11af3bf9ca1b4d
-
memory/388-75-0x0000022E61060000-0x0000022E61089000-memory.dmpFilesize
164KB
-
memory/388-65-0x0000022E61060000-0x0000022E61089000-memory.dmpFilesize
164KB
-
memory/388-73-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/388-74-0x0000022E61060000-0x0000022E61089000-memory.dmpFilesize
164KB
-
memory/664-741-0x0000026203E70000-0x0000026203E93000-memory.dmpFilesize
140KB
-
memory/664-32-0x0000026203EA0000-0x0000026203EC9000-memory.dmpFilesize
164KB
-
memory/664-31-0x0000026203E70000-0x0000026203E93000-memory.dmpFilesize
140KB
-
memory/664-33-0x0000026203EA0000-0x0000026203EC9000-memory.dmpFilesize
164KB
-
memory/664-41-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/664-42-0x0000026203EA0000-0x0000026203EC9000-memory.dmpFilesize
164KB
-
memory/664-43-0x0000026203EA0000-0x0000026203EC9000-memory.dmpFilesize
164KB
-
memory/664-59-0x0000026203E70000-0x0000026203E93000-memory.dmpFilesize
140KB
-
memory/664-60-0x00007FF9780ED000-0x00007FF9780EE000-memory.dmpFilesize
4KB
-
memory/860-79-0x00000261CEDC0000-0x00000261CEDE9000-memory.dmpFilesize
164KB
-
memory/860-742-0x00000261CED90000-0x00000261CEDB3000-memory.dmpFilesize
140KB
-
memory/860-92-0x00000261CED90000-0x00000261CEDB3000-memory.dmpFilesize
140KB
-
memory/860-87-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/860-89-0x00000261CEDC0000-0x00000261CEDE9000-memory.dmpFilesize
164KB
-
memory/860-88-0x00000261CEDC0000-0x00000261CEDE9000-memory.dmpFilesize
164KB
-
memory/948-61-0x00007FF9780EC000-0x00007FF9780ED000-memory.dmpFilesize
4KB
-
memory/948-57-0x0000028FD3800000-0x0000028FD3829000-memory.dmpFilesize
164KB
-
memory/948-47-0x0000028FD3800000-0x0000028FD3829000-memory.dmpFilesize
164KB
-
memory/948-56-0x0000028FD3800000-0x0000028FD3829000-memory.dmpFilesize
164KB
-
memory/948-62-0x00007FF9380D0000-0x00007FF9380E0000-memory.dmpFilesize
64KB
-
memory/2640-18-0x000001B553130000-0x000001B55367E000-memory.dmpFilesize
5.3MB
-
memory/2640-740-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmpFilesize
10.8MB
-
memory/2640-19-0x000001B553680000-0x000001B553E2E000-memory.dmpFilesize
7.7MB
-
memory/2640-25-0x0000000180000000-0x0000000180007000-memory.dmpFilesize
28KB
-
memory/2640-17-0x000001B5530F0000-0x000001B55312E000-memory.dmpFilesize
248KB
-
memory/2640-16-0x000001B539A90000-0x000001B539A96000-memory.dmpFilesize
24KB
-
memory/2640-15-0x000001B539AC0000-0x000001B539AC8000-memory.dmpFilesize
32KB
-
memory/2640-21-0x000001B555270000-0x000001B555322000-memory.dmpFilesize
712KB
-
memory/2640-22-0x000001B555350000-0x000001B555372000-memory.dmpFilesize
136KB
-
memory/2640-23-0x000001B5555D0000-0x000001B55563A000-memory.dmpFilesize
424KB
-
memory/2640-0-0x00007FF95A033000-0x00007FF95A035000-memory.dmpFilesize
8KB
-
memory/2640-24-0x000001B555640000-0x000001B555682000-memory.dmpFilesize
264KB
-
memory/2640-14-0x000001B539A10000-0x000001B539A16000-memory.dmpFilesize
24KB
-
memory/2640-12-0x000001B5523E0000-0x000001B55243E000-memory.dmpFilesize
376KB
-
memory/2640-739-0x00007FF95A033000-0x00007FF95A035000-memory.dmpFilesize
8KB
-
memory/2640-20-0x000001B554EE0000-0x000001B55526C000-memory.dmpFilesize
3.5MB
-
memory/2640-13-0x000001B553090000-0x000001B5530E8000-memory.dmpFilesize
352KB
-
memory/2640-28-0x0000000180000000-0x0000000180007000-memory.dmpFilesize
28KB
-
memory/2640-9-0x000001B539A70000-0x000001B539A92000-memory.dmpFilesize
136KB
-
memory/2640-10-0x000001B539AA0000-0x000001B539AA6000-memory.dmpFilesize
24KB
-
memory/2640-11-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmpFilesize
10.8MB
-
memory/2640-7-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmpFilesize
10.8MB
-
memory/2640-8-0x000001B552E90000-0x000001B552F8C000-memory.dmpFilesize
1008KB
-
memory/2640-5-0x00007FF978050000-0x00007FF978245000-memory.dmpFilesize
2.0MB
-
memory/2640-6-0x00007FF977DA0000-0x00007FF977E5E000-memory.dmpFilesize
760KB
-
memory/2640-4-0x000001B5524A0000-0x000001B552B88000-memory.dmpFilesize
6.9MB
-
memory/2640-3-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmpFilesize
10.8MB
-
memory/2640-2-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmpFilesize
10.8MB
-
memory/2640-1-0x000001B537800000-0x000001B537EA6000-memory.dmpFilesize
6.6MB