07315589e4abc58223e9b193c19436656d05dd687a7253a4cbef0935f92957d4

General

Target

4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Size

84KB
MD5

4b4f2f412f66a07802e6403b6c8f4e70
SHA1

0ae1314bdb6659e09fb4c253a74c09ec8cd17f4f
SHA256

07315589e4abc58223e9b193c19436656d05dd687a7253a4cbef0935f92957d4
SHA512

3c80cfb8a40ad2556fd4078a40495f91ee53debb46192da248db155c69b329af6dd7b7e0dd14627327d684f33f4f456c8784a497cf7ed88804cdae99f9eeed23
SSDEEP

1536:4Xn1JYSnExFkcgKKjxfmqshiKW5Xs/iYQqQJtsWFcdfRMvb+xWvD:WE3x5KBDYiKWm/iSw0fRMvygr

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE\Blob = 030000000100000014000000d4d75fde705713cc3d28aabb99da6ba16b3dfcde20000000010000002c0500003082052830820410a0030201020210085dfb7228e907cf98022c52c511bc66300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3139313032323030303030305a170d3232313032363132303030305a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374576973652c204c4c433119301706035504031310436f6e6e656374576973652c204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100aff44932097c6f6581818041beb0983e68f9af594959e60adb9948991d0cb693bd3e6febc4e08d0895d3b77970b3ea171c377224b71a12b163385f1480f498cd0eae93b0e6eed61dbdbdfbfb5e3b4a9c7b63f52bf30e027cefe53b449160ea09969e6f474a3ba8b9ec92df855f3031f42eed4813cf5b31080f7677df2941be2157134683184629972bfaa24a8184e6aeee5f4485a4c86e1342118fd4d203c3537b91931279de62ddf5fc6f378f1371e0d987ce9a1daa873f8c9eac570f684cc150c11195f9e66ea6a7579574eaf1c635a247b19a74e9853ef8aeb2f9985e37a6591caae42453745c4e4f67d55472e67a8b4566913e978d351a9c53277a51a5ed0203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414a6b7faeec29169953f10837d11e48f3c596bd80b300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100693660b45165355d831c324c3ae47a4960602e321c9bd34546dd87d86d9af9e78d39bd42972273587ffa2ea32f4c7fd35d9a1b8c901a7422e322810e84e1bfda958363de1e32f4700d9b0867eadc5b018c71f5f2dd0238194e42f6d744c7f65f2eddb04740b85ad62f821ecc9c9ddb474b6ee71035ef99251518183e8cb0f7fab4bac08bbad55522b23ed20e065f917956f6b24df8f89af1a32901512db2fbe1783ea37b645aad71e15bd4e5522b83bae0696744f7ec21143befd856afca78c62f9d989a0bc67c1e33204a1ea4154940b7078de53fe15a71d6f0dea3957a099aa65c4c4c33f4316b2db58cb221d712d10c177cae393427529e04346d029b2d24	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6\Blob = 03000000010000001400000092c1588e85af2201ce7915e8538b492f605b80c62000000001000000340500003082053030820418a00302010202100409181b5fd5bb66755343b56f955008300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3133313032323132303030305a170d3238313032323132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f8d3b31c7f0e11af677707d30b314919cfd0fb4599b13adb44f57fe5a89ddb32d771ea769d052eb78ffa9243c0a5f989d43719d7b6aaf09c86a5d825ac0e79283a7ee9d167d3c6fb2927c7d37b2394e4912396907782f9a18423661254335074b12826bb2469c2c252f214678a8945d42da1a3e9882c2095ae1c4a8708df0cf5e24d6018beaac4b2ae70316633713eac70a2abce7fe97ccb92a1e53b311ccfeaf20ae457bb4ab5e974e62bfe6ccb7e7439360d90efe4b54ea4a9ea6a0aab84f3ac674eb5c4f78cd1202523eb08643e5296c1f20f12f4c58e0fc1a2e82c51f773bcbd85b1628373418207e4388b6a7320d00f64733c9e9fa633a9fd19df2593d10203010001a38201cd308201c930120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c304f0603551d20044830463038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300a06086086480186fd6c03301d0603551d0e041604145ac4b97b2a0aa3a5ea7103c060f92df665750e58301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010b050003820101003eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "8JBN0DTG7QZJ5WWZ5B8OL74R"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "MWAZW97XWTZT7G3G47ZT0A9G"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "HEMC144ZA7QY2OEMHC2CPAZL"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE\Blob = 030000000100000014000000d4d75fde705713cc3d28aabb99da6ba16b3dfcde20000000010000002c0500003082052830820410a0030201020210085dfb7228e907cf98022c52c511bc66300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3139313032323030303030305a170d3232313032363132303030305a3065310b30090603550406130255533110300e06035504081307466c6f72696461310e300c0603550407130554616d706131193017060355040a1310436f6e6e656374576973652c204c4c433119301706035504031310436f6e6e656374576973652c204c4c4330820122300d06092a864886f70d01010105000382010f003082010a0282010100aff44932097c6f6581818041beb0983e68f9af594959e60adb9948991d0cb693bd3e6febc4e08d0895d3b77970b3ea171c377224b71a12b163385f1480f498cd0eae93b0e6eed61dbdbdfbfb5e3b4a9c7b63f52bf30e027cefe53b449160ea09969e6f474a3ba8b9ec92df855f3031f42eed4813cf5b31080f7677df2941be2157134683184629972bfaa24a8184e6aeee5f4485a4c86e1342118fd4d203c3537b91931279de62ddf5fc6f378f1371e0d987ce9a1daa873f8c9eac570f684cc150c11195f9e66ea6a7579574eaf1c635a247b19a74e9853ef8aeb2f9985e37a6591caae42453745c4e4f67d55472e67a8b4566913e978d351a9c53277a51a5ed0203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414a6b7faeec29169953f10837d11e48f3c596bd80b300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100693660b45165355d831c324c3ae47a4960602e321c9bd34546dd87d86d9af9e78d39bd42972273587ffa2ea32f4c7fd35d9a1b8c901a7422e322810e84e1bfda958363de1e32f4700d9b0867eadc5b018c71f5f2dd0238194e42f6d744c7f65f2eddb04740b85ad62f821ecc9c9ddb474b6ee71035ef99251518183e8cb0f7fab4bac08bbad55522b23ed20e065f917956f6b24df8f89af1a32901512db2fbe1783ea37b645aad71e15bd4e5522b83bae0696744f7ec21143befd856afca78c62f9d989a0bc67c1e33204a1ea4154940b7078de53fe15a71d6f0dea3957a099aa65c4c4c33f4316b2db58cb221d712d10c177cae393427529e04346d029b2d24	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6\Blob = 03000000010000001400000092c1588e85af2201ce7915e8538b492f605b80c62000000001000000340500003082053030820418a00302010202100409181b5fd5bb66755343b56f955008300d06092a864886f70d01010b05003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3133313032323132303030305a170d3238313032323132303030305a3072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f8d3b31c7f0e11af677707d30b314919cfd0fb4599b13adb44f57fe5a89ddb32d771ea769d052eb78ffa9243c0a5f989d43719d7b6aaf09c86a5d825ac0e79283a7ee9d167d3c6fb2927c7d37b2394e4912396907782f9a18423661254335074b12826bb2469c2c252f214678a8945d42da1a3e9882c2095ae1c4a8708df0cf5e24d6018beaac4b2ae70316633713eac70a2abce7fe97ccb92a1e53b311ccfeaf20ae457bb4ab5e974e62bfe6ccb7e7439360d90efe4b54ea4a9ea6a0aab84f3ac674eb5c4f78cd1202523eb08643e5296c1f20f12f4c58e0fc1a2e82c51f773bcbd85b1628373418207e4388b6a7320d00f64733c9e9fa633a9fd19df2593d10203010001a38201cd308201c930120603551d130101ff040830060101ff020100300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307906082b06010505070101046d306b302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304306082b060105050730028637687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e6372743081810603551d1f047a3078303aa038a0368634687474703a2f2f63726c342e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c303aa038a0368634687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274417373757265644944526f6f7443412e63726c304f0603551d20044830463038060a6086480186fd6c000204302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300a06086086480186fd6c03301d0603551d0e041604145ac4b97b2a0aa3a5ea7103c060f92df665750e58301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010b050003820101003eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\D4D75FDE705713CC3D28AABB99DA6BA16B3DFCDE	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\92C1588E85AF2201CE7915E8538B492F605B80C6	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	dfsvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4092	2184	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe	81
PID 2184 wrote to memory of 4092	2184	4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b4f2f412f66a07802e6403b6c8f4e70_NeikiAnalytics.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4092-0-0x000001EE29B50000-0x000001EE29B58000-memory.dmp

Filesize
32KB

Download
memory/4092-1-0x00007FFB3CA63000-0x00007FFB3CA65000-memory.dmp

Filesize
8KB

Download
memory/4092-2-0x000001EE44190000-0x000001EE44316000-memory.dmp

Filesize
1.5MB

Download
memory/4092-3-0x00007FFB3CA60000-0x00007FFB3D521000-memory.dmp

Filesize
10.8MB

Download
memory/4092-5-0x00007FFB3CA60000-0x00007FFB3D521000-memory.dmp

Filesize
10.8MB

Download
memory/4092-7-0x000001EE44DE0000-0x000001EE44F4A000-memory.dmp

Filesize
1.4MB

Download
memory/4092-9-0x00007FFB3CA60000-0x00007FFB3D521000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing