743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
Size

653KB
MD5

b2e27e88dd895d90f19c8d0314662720
SHA1

cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA512

85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
SSDEEP

12288:Tf4N3H1XrMFzr0bgo+adMSoy2tVxhwCmQpEZ/0hQOk8+4XKlThiHSrEZ:w1XoFcuadOyy/TC/gYDKYliH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4996	mvstfck.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2948	4996	WerFault.exe	82
4608	4996	WerFault.exe	82

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320035006400380061003800610031002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00320035006400380061003800610031002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-f0ff3a000000}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8a8a1-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632648813062050"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133626067297641616"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649461030683"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649481030875"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649133218115"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632649140249400"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632649472436950"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649869936860"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649872280628"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632648480543304"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133626067295289726"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632649877749925"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632649485249523"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632649872905844"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632648810405619"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133632649471343085"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133632648539624358"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1424	b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
1424	b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
4996	mvstfck.exe
4996	mvstfck.exe
4996	mvstfck.exe
4996	mvstfck.exe
4996	mvstfck.exe
4996	mvstfck.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	mvstfck.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 780	4996	mvstfck.exe	8
PID 780 wrote to memory of 4788	780	svchost.exe	94
PID 780 wrote to memory of 4788	780	svchost.exe	94
PID 780 wrote to memory of 2368	780	svchost.exe	97
PID 780 wrote to memory of 2368	780	svchost.exe	97
PID 780 wrote to memory of 3280	780	svchost.exe	98
PID 780 wrote to memory of 3280	780	svchost.exe	98
PID 780 wrote to memory of 3324	780	svchost.exe	100
PID 780 wrote to memory of 3324	780	svchost.exe	100
PID 780 wrote to memory of 3612	780	svchost.exe	101
PID 780 wrote to memory of 3612	780	svchost.exe	101
PID 780 wrote to memory of 3612	780	svchost.exe	101
PID 780 wrote to memory of 2316	780	svchost.exe	102
PID 780 wrote to memory of 2316	780	svchost.exe	102
PID 780 wrote to memory of 2316	780	svchost.exe	102
PID 780 wrote to memory of 3832	780	svchost.exe	103
PID 780 wrote to memory of 3832	780	svchost.exe	103
PID 780 wrote to memory of 3260	780	svchost.exe	104
PID 780 wrote to memory of 3260	780	svchost.exe	104
PID 780 wrote to memory of 3260	780	svchost.exe	104
PID 780 wrote to memory of 5000	780	svchost.exe	106
PID 780 wrote to memory of 5000	780	svchost.exe	106
PID 780 wrote to memory of 5000	780	svchost.exe	106
PID 780 wrote to memory of 3084	780	svchost.exe	107
PID 780 wrote to memory of 3084	780	svchost.exe	107
PID 780 wrote to memory of 3084	780	svchost.exe	107
PID 780 wrote to memory of 2632	780	svchost.exe	108
PID 780 wrote to memory of 2632	780	svchost.exe	108
PID 780 wrote to memory of 2632	780	svchost.exe	108
PID 780 wrote to memory of 4372	780	svchost.exe	109
PID 780 wrote to memory of 4372	780	svchost.exe	109
PID 780 wrote to memory of 4372	780	svchost.exe	109
PID 780 wrote to memory of 2600	780	svchost.exe	110
PID 780 wrote to memory of 2600	780	svchost.exe	110
PID 780 wrote to memory of 2600	780	svchost.exe	110
PID 780 wrote to memory of 3656	780	svchost.exe	111
PID 780 wrote to memory of 3656	780	svchost.exe	111
PID 780 wrote to memory of 3656	780	svchost.exe	111
PID 780 wrote to memory of 3328	780	svchost.exe	112
PID 780 wrote to memory of 3328	780	svchost.exe	112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:4788
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2368
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:3280
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:3324
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3612
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2316
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3832
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3260
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:5000
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3084
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2632
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4372
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2600
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:3656
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3328

C:\Users\Admin\AppData\Local\Temp\b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Users\Admin\AppData\Local\Temp\mvstfck.exe
C:\Users\Admin\AppData\Local\Temp\mvstfck.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 684
  2⤵
  - Program crash
  PID:2948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 724
  2⤵
  - Program crash
  PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4996 -ip 4996
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4996 -ip 4996
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevices\comcmje

Filesize
654B

MD5
f046568003274508e23a56115643a9e5

SHA1
5275e5d44e73ffcec7ff98cb4898d09549afcf94

SHA256
7ab1dd642b22ecbf5913e8f2d08f41d4f28ebfa629294b4a4ec593d49233e420

SHA512
78c186d56c4422e7a8169eb02da961c3e2d12d061114319ba64159790bbbf850077fe441b055485d35a54dd2c7e5f9301c194dc42f21a4255c1413799ec093c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvstfck.exe

Filesize
653KB

MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
memory/780-11-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-9-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-12-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-17-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-15-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-23-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-221-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/780-3379-0x0000000021090000-0x0000000021107000-memory.dmp

Filesize
476KB

Download
memory/1424-0-0x0000000000B10000-0x0000000000D2A000-memory.dmp

Filesize
2.1MB

Download
memory/1424-1-0x0000000000D30000-0x0000000000F7B000-memory.dmp

Filesize
2.3MB

Download
memory/4996-6-0x0000000000CF0000-0x0000000000F3B000-memory.dmp

Filesize
2.3MB

Download