Analysis Overview
SHA256
104ad4aa48acfb6ed06b77d34dfaea65636fc5d69f9e97f14083393289ce4bcc
Threat Level: Shows suspicious behavior
The file 65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:32
Reported
2024-06-13 06:34
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\f4SUbt\\VaultSysUi.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\6401\rrinstaller.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\6401\rrinstaller.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\yFk6sS.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1208 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\VaultSysUi.exe |
| PID 1208 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\VaultSysUi.exe |
| PID 1208 wrote to memory of 2908 | N/A | N/A | C:\Windows\system32\VaultSysUi.exe |
| PID 1208 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2688 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2912 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2912 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2912 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2912 wrote to memory of 2876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2912 wrote to memory of 2876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2912 wrote to memory of 2876 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1208 wrote to memory of 2240 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1208 wrote to memory of 2240 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1208 wrote to memory of 2240 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1208 wrote to memory of 1664 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 1664 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 1664 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 1208 wrote to memory of 2520 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1208 wrote to memory of 2520 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 1208 wrote to memory of 2520 | N/A | N/A | C:\Windows\System32\eventvwr.exe |
| PID 2520 wrote to memory of 2752 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2520 wrote to memory of 2752 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2520 wrote to memory of 2752 | N/A | C:\Windows\System32\eventvwr.exe | C:\Windows\system32\cmd.exe |
| PID 2752 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2752 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2752 wrote to memory of 2552 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1
C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aK1.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"
C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Oohwbly.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yFk6sS.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\6401\rrinstaller.exe" /RL highest
Network
Files
memory/1984-0-0x0000000000170000-0x0000000000177000-memory.dmp
memory/1984-2-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-3-0x0000000076D26000-0x0000000076D27000-memory.dmp
memory/1208-4-0x00000000025D0000-0x00000000025D1000-memory.dmp
memory/1984-6-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-7-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-11-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-38-0x00000000025B0000-0x00000000025B7000-memory.dmp
memory/1208-17-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-37-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-30-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-29-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-28-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-27-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-26-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-25-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-24-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-23-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-22-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-21-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-20-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-19-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-18-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-16-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-15-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-14-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-13-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-12-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-10-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-9-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-8-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-39-0x0000000076E31000-0x0000000076E32000-memory.dmp
memory/1208-48-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-51-0x0000000140000000-0x000000014008D000-memory.dmp
memory/1208-52-0x0000000076F90000-0x0000000076F92000-memory.dmp
memory/1208-53-0x0000000140000000-0x000000014008D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aK1.cmd
| MD5 | 2fa3f7e2cf8c87adbe5a4570b41605d4 |
| SHA1 | b96c7fe23d2fe3aaaa2075ede0cffe9da352f214 |
| SHA256 | bbbe820dfa1b77015bc1cbddbfcb84de4b621cf740db236b991aea746e995d45 |
| SHA512 | 974759d93c0d5892dbf05f7b301d40a0c41be6b89de309b514709f99f43cb179cd8305f66786f28ed25e37f43e82d410e699e5acabb107e73359dd3faa8573d6 |
C:\Users\Admin\AppData\Local\Temp\I315D.tmp
| MD5 | f9fd2f2cd4fddeb455ed073d09107aac |
| SHA1 | 800d467f738806a8ba58c05e654a2cd7f6d3a847 |
| SHA256 | 77c2781cb6574c8ba0ba86ca74052ed738f7dd043ece9809b95c75f2dcbc275e |
| SHA512 | 67a23bb58794793a2b78b5eb8caab23a49fb8eb2e2dd500c994419189bc8f073859d69570802a37996ae4d9e9a902310d8635dc53e21f9896924f5bac367cba1 |
C:\Users\Admin\AppData\Roaming\f4SUbt\VaultSysUi.exe
| MD5 | f40ef105d94350d36c799ee23f7fec0f |
| SHA1 | ee3a5cfe8b807e1c1718a27eb97fa134360816e3 |
| SHA256 | eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2 |
| SHA512 | f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1 |
C:\Users\Admin\AppData\Local\Temp\Oohwbly.cmd
| MD5 | ce7b204aeffabc16e3352d216cececfd |
| SHA1 | 283ed4245525d12bd7a28a2f30b2cf2e7ed6059f |
| SHA256 | 0985122c54cc80d03b4855c64a868331a0d048025fc339e57137ddffa9996f4b |
| SHA512 | 130c034f409058118aa77765325304d91451f76eab95ce5bf401fcb35519e02d61945cf333b7e249b49b8f155eedfe975923ae0f3882852c6c08592499710aa4 |
C:\Users\Admin\AppData\Local\Temp\n33AF.tmp
| MD5 | 899ff55d4f37d0ffef62b030bd8a713e |
| SHA1 | 21da6bd6ced218ce298f4d28b842c2378266c243 |
| SHA256 | e2ac23237a4e6b041b741ee3e6a9eaf0671b027a927b8782c13dbad7187ba799 |
| SHA512 | 19d372e4d7d122daea6bcd4800f47485ce1a71ec53d56dcc421b8d8b0158f364c212ccfb2a1f4e0fe58c0d0e86b73ec25dcedff259c6fb57cd5a92f2153b477f |
C:\Users\Admin\AppData\Local\Temp\yFk6sS.cmd
| MD5 | cff8f0294ce7b135cf8b26d8ab6c60c5 |
| SHA1 | cddae57958443998097619609310f4ea2ea241d8 |
| SHA256 | 39eca64a53ffc4484f48872b2dcab6fded7aff5e22bc704f6d4d3958b68f242a |
| SHA512 | 5f6e2ec0afcd982136b720608e0eb32686af431a205725140caf5cb4f495dd03725c924ea2c9232e0dd38327a444c8f214da3691c7010dd2aae5a176b14b3802 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yyeybzteybdsbj.lnk
| MD5 | 5bd507dcf35df1fabf561fb871cf8dd8 |
| SHA1 | 40a75b56cf7096975e63c5c0433ecaae722b5afc |
| SHA256 | 13f0479bf736867181b960293960dea9d35c531af3e7394e7cf855ebe52edfe4 |
| SHA512 | 441eef93f5e865ba30242220383f17c31bb115eebd9164e0178f396f68951bd6d276827bdf5edfa521148d78df2e83bad966d861992aded39cf5643b8861064f |
memory/1208-101-0x0000000076D26000-0x0000000076D27000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:32
Reported
2024-06-13 06:34
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
54s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "\"C:\\Users\\Admin\\AppData\\Roaming\\clmw\\Utilman.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\5202\OptionalFeatures.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\5202\OptionalFeatures.exe | C:\Windows\System32\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\AWHaXc.cmd" | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 1628 | N/A | N/A | C:\Windows\system32\provtool.exe |
| PID 3436 wrote to memory of 1628 | N/A | N/A | C:\Windows\system32\provtool.exe |
| PID 3436 wrote to memory of 468 | N/A | N/A | C:\Windows\system32\VSSVC.exe |
| PID 3436 wrote to memory of 468 | N/A | N/A | C:\Windows\system32\VSSVC.exe |
| PID 3436 wrote to memory of 3676 | N/A | N/A | C:\Windows\system32\RuntimeBroker.exe |
| PID 3436 wrote to memory of 3676 | N/A | N/A | C:\Windows\system32\RuntimeBroker.exe |
| PID 3436 wrote to memory of 2256 | N/A | N/A | C:\Windows\system32\regsvr32.exe |
| PID 3436 wrote to memory of 2256 | N/A | N/A | C:\Windows\system32\regsvr32.exe |
| PID 3436 wrote to memory of 4052 | N/A | N/A | C:\Windows\system32\ResetEngine.exe |
| PID 3436 wrote to memory of 4052 | N/A | N/A | C:\Windows\system32\ResetEngine.exe |
| PID 3436 wrote to memory of 4464 | N/A | N/A | C:\Windows\system32\DTUHandler.exe |
| PID 3436 wrote to memory of 4464 | N/A | N/A | C:\Windows\system32\DTUHandler.exe |
| PID 3436 wrote to memory of 4500 | N/A | N/A | C:\Windows\system32\audiodg.exe |
| PID 3436 wrote to memory of 4500 | N/A | N/A | C:\Windows\system32\audiodg.exe |
| PID 3436 wrote to memory of 2028 | N/A | N/A | C:\Windows\system32\MultiDigiMon.exe |
| PID 3436 wrote to memory of 2028 | N/A | N/A | C:\Windows\system32\MultiDigiMon.exe |
| PID 3436 wrote to memory of 4592 | N/A | N/A | C:\Windows\system32\dllhost.exe |
| PID 3436 wrote to memory of 4592 | N/A | N/A | C:\Windows\system32\dllhost.exe |
| PID 3436 wrote to memory of 3100 | N/A | N/A | C:\Windows\system32\Utilman.exe |
| PID 3436 wrote to memory of 3100 | N/A | N/A | C:\Windows\system32\Utilman.exe |
| PID 3436 wrote to memory of 3300 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3436 wrote to memory of 3300 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3436 wrote to memory of 2496 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3436 wrote to memory of 2496 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 2496 wrote to memory of 3080 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2496 wrote to memory of 3080 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3436 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\AppVShNotify.exe |
| PID 3436 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\AppVShNotify.exe |
| PID 3436 wrote to memory of 4168 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 3436 wrote to memory of 4168 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 3436 wrote to memory of 4576 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3436 wrote to memory of 4576 | N/A | N/A | C:\Windows\System32\cmd.exe |
| PID 3436 wrote to memory of 828 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 3436 wrote to memory of 828 | N/A | N/A | C:\Windows\System32\fodhelper.exe |
| PID 828 wrote to memory of 5072 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 828 wrote to memory of 5072 | N/A | C:\Windows\System32\fodhelper.exe | C:\Windows\system32\cmd.exe |
| PID 5072 wrote to memory of 3076 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 5072 wrote to memory of 3076 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1
C:\Windows\system32\provtool.exe
C:\Windows\system32\provtool.exe
C:\Windows\system32\VSSVC.exe
C:\Windows\system32\VSSVC.exe
C:\Windows\system32\RuntimeBroker.exe
C:\Windows\system32\RuntimeBroker.exe
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\ResetEngine.exe
C:\Windows\system32\ResetEngine.exe
C:\Windows\system32\DTUHandler.exe
C:\Windows\system32\DTUHandler.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\audiodg.exe
C:\Windows\system32\MultiDigiMon.exe
C:\Windows\system32\MultiDigiMon.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\V9s.cmd
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
C:\Windows\system32\schtasks.exe
schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
C:\Windows\system32\AppVShNotify.exe
C:\Windows\system32\AppVShNotify.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8V1jXb.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\AWHaXc.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\5202\OptionalFeatures.exe" /RL highest
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3804-1-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3804-0-0x00000174EAD10000-0x00000174EAD17000-memory.dmp
memory/3436-3-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/3804-5-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-6-0x00007FFE77D9A000-0x00007FFE77D9B000-memory.dmp
memory/3436-19-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-24-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-37-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-58-0x0000000140000000-0x000000014008D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AWHaXc.cmd
| MD5 | 11386504995ab1f391538cdfb4389e78 |
| SHA1 | 60bf7573ad967b7a085d5ebd3e0453c2b952f362 |
| SHA256 | d75b548f3a911b54e4bdcc0368d5b88a2efb5e32d83deedee87de9a6f1bcd97b |
| SHA512 | 0e9ac9faa6434ff7d212e9b0c25ad8a725acb9c710fdbdcfc492f4dadfce78d4b0f7e654d73e8e2c82539edeb80e1979a7d21af87abec723d1e83cba7e892a6b |
C:\Users\Admin\AppData\Local\Temp\nS51EA.tmp
| MD5 | 5f175a465456d62212123b6b0aa5d7aa |
| SHA1 | 301a707c02573291679c8bd676ae9886611c4f06 |
| SHA256 | 9fa80af480ea84d2c3477608ba330fbcb1e38023b756308d2d3205d5717c5f20 |
| SHA512 | e31b74cd21bca0c2887d46dbb2b6807c7774c291f0f4e1cecc7e2db38d216bbaa6a13695207fd03d9fd8d6ac163b7da1dc70a4d603fb8e823bf9034aad2d13c6 |
C:\Users\Admin\AppData\Local\Temp\8V1jXb.cmd
| MD5 | feeb3dc8a5ea3d1b7b48e1dfc84ac07a |
| SHA1 | 4549571e13bd170e83d1bca9a58fe4fddfaff45a |
| SHA256 | 340520d68ea80ee964d61fe402a61d2a48f7711cebd9896b9e84cdd1b36da234 |
| SHA512 | ab05c8141fa3a34c60fc288b7200c65f2659fde360919918aa88f0cc0ba9da70f0f8db8a89aae4d2c66326c6813571f844142014c039b59bf6e2b8ef85497921 |
C:\Users\Admin\AppData\Roaming\clmw\Utilman.exe
| MD5 | a117edc0e74ab4770acf7f7e86e573f7 |
| SHA1 | 5ceffb1a5e05e52aafcbc2d44e1e8445440706f3 |
| SHA256 | b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37 |
| SHA512 | 72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97 |
C:\Users\Admin\AppData\Local\Temp\CgS514C.tmp
| MD5 | a608ed15a56eab782dd9ca3ad9e73bf8 |
| SHA1 | 1270024fe482314e619ab428b4c111daadb360e1 |
| SHA256 | e6970b97d5ce94c2f0b79d93a6d8f22e26127b65bd850681f965fad71175d554 |
| SHA512 | d143cd0dd9568f0c70d7a2fcd8939112e7df2001e1b0ef99b5e9007bcc37ff36d5fa8dcb6a5cda09e7c169899d4ed4ac7aa11a49faeee3814de0749d4d0c0d5e |
C:\Users\Admin\AppData\Local\Temp\V9s.cmd
| MD5 | c4e5827e84f0fe09b330a082bad1a2ab |
| SHA1 | be0d137ba3a1a605d413c6b9bde028d744b9bbac |
| SHA256 | 27d471c637b6ee4d68346fe8eb5c3a34372fbb736c39651976fb9c124ab0acb0 |
| SHA512 | 39d39a32b6a90b9e5c63819bd55a2dd1eea4a611375f3296e60eeb921b6e42dab5e1b361227c9dee55ac7e5ca55d57020269daaa9c1289923f7ac90c25402694 |
memory/3436-49-0x00007FFE79CE0000-0x00007FFE79CF0000-memory.dmp
memory/3436-48-0x0000000000420000-0x0000000000427000-memory.dmp
memory/3436-46-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-30-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-29-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-28-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-26-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-27-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-25-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-23-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-21-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-22-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-20-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-18-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-17-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-16-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-15-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-14-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-13-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-12-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-11-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-10-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-9-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-8-0x0000000140000000-0x000000014008D000-memory.dmp
memory/3436-7-0x0000000140000000-0x000000014008D000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk
| MD5 | 676dccc3437a352bf1e0d1dbde9aad8b |
| SHA1 | 6f6aafb5edf5c32e92f9d8905da3d0c6e0458d7a |
| SHA256 | 2256feb71f2d2165780d6c42e18078b9565c6989d00ee3f20784c7222bf823d9 |
| SHA512 | 19119b591af2e1fc707e0a0b1f948d54dba86a9c970044170d33c3761eb100559013f70f971f36eb20ae1823a04ca0d866ebf4d064a40d29fb8abd28241f6601 |