f261571235b0e1cdcf23547c0d670d3ac7a3d8147fefaeac396221471fed4c72

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 14:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Size

292KB
MD5

c39fe1fb7fc5332da7e96d8c358c5980
SHA1

949f76531b6e0c4557d69aa7f3fd1b42a7c35d4d
SHA256

f261571235b0e1cdcf23547c0d670d3ac7a3d8147fefaeac396221471fed4c72
SHA512

68acbdf4884eae445eb0033db22d65bb0e7e0b79ba5c46207b9c4d4af10573fde17482f4707d8ec650dd028cd86fe0b62991ca4ad23e7e84eb91fe4113a8ebdb
SSDEEP

3072:eg9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgx3Qe:keC4EwZFoobUk8qp0qpgl8E1P+DJC

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2jjsdipk.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2jjsdipk.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2jjsdipk.bat

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2500	2jjsdipk.bat

Loads dropped DLL 1 IoCs

pid	Process
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	2jjsdipk.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2520	sc.exe
2412	sc.exe
1848	sc.exe
2892	sc.exe
2328	sc.exe
2704	sc.exe
1652	sc.exe
2900	sc.exe
2516	sc.exe
2776	sc.exe
1632	sc.exe
316	sc.exe
1552	sc.exe
1060	sc.exe
3044	sc.exe
2108	sc.exe
2648	sc.exe
2140	sc.exe
556	sc.exe
2392	sc.exe
2768	sc.exe
2860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2212	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
1532	powershell.exe
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2356	powershell.exe
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat
2500	2jjsdipk.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
Token: SeDebugPrivilege	2500	2jjsdipk.bat
Token: SeSecurityPrivilege	2360	wevtutil.exe
Token: SeBackupPrivilege	2360	wevtutil.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2860	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	28
PID 2936 wrote to memory of 2860	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	28
PID 2936 wrote to memory of 2860	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	28
PID 2936 wrote to memory of 2108	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	29
PID 2936 wrote to memory of 2108	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	29
PID 2936 wrote to memory of 2108	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	29
PID 2936 wrote to memory of 2712	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	32
PID 2936 wrote to memory of 2712	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	32
PID 2936 wrote to memory of 2712	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	32
PID 2936 wrote to memory of 2704	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	34
PID 2936 wrote to memory of 2704	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	34
PID 2936 wrote to memory of 2704	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	34
PID 2712 wrote to memory of 2520	2712	cmd.exe	36
PID 2712 wrote to memory of 2520	2712	cmd.exe	36
PID 2712 wrote to memory of 2520	2712	cmd.exe	36
PID 2936 wrote to memory of 2792	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	37
PID 2936 wrote to memory of 2792	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	37
PID 2936 wrote to memory of 2792	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	37
PID 2936 wrote to memory of 2776	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	39
PID 2936 wrote to memory of 2776	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	39
PID 2936 wrote to memory of 2776	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	39
PID 2792 wrote to memory of 2648	2792	cmd.exe	41
PID 2792 wrote to memory of 2648	2792	cmd.exe	41
PID 2792 wrote to memory of 2648	2792	cmd.exe	41
PID 2936 wrote to memory of 2740	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	42
PID 2936 wrote to memory of 2740	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	42
PID 2936 wrote to memory of 2740	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	42
PID 2936 wrote to memory of 2516	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	44
PID 2936 wrote to memory of 2516	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	44
PID 2936 wrote to memory of 2516	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	44
PID 2936 wrote to memory of 2632	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	46
PID 2936 wrote to memory of 2632	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	46
PID 2936 wrote to memory of 2632	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	46
PID 2740 wrote to memory of 2412	2740	cmd.exe	47
PID 2740 wrote to memory of 2412	2740	cmd.exe	47
PID 2740 wrote to memory of 2412	2740	cmd.exe	47
PID 2632 wrote to memory of 2140	2632	cmd.exe	49
PID 2632 wrote to memory of 2140	2632	cmd.exe	49
PID 2632 wrote to memory of 2140	2632	cmd.exe	49
PID 2936 wrote to memory of 376	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	50
PID 2936 wrote to memory of 376	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	50
PID 2936 wrote to memory of 376	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	50
PID 376 wrote to memory of 1652	376	cmd.exe	52
PID 376 wrote to memory of 1652	376	cmd.exe	52
PID 376 wrote to memory of 1652	376	cmd.exe	52
PID 2936 wrote to memory of 2500	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	53
PID 2936 wrote to memory of 2500	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	53
PID 2936 wrote to memory of 2500	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	53
PID 2936 wrote to memory of 2844	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	54
PID 2936 wrote to memory of 2844	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	54
PID 2936 wrote to memory of 2844	2936	c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe	54
PID 2500 wrote to memory of 1632	2500	2jjsdipk.bat	56
PID 2500 wrote to memory of 1632	2500	2jjsdipk.bat	56
PID 2500 wrote to memory of 1632	2500	2jjsdipk.bat	56
PID 2500 wrote to memory of 1848	2500	2jjsdipk.bat	57
PID 2500 wrote to memory of 1848	2500	2jjsdipk.bat	57
PID 2500 wrote to memory of 1848	2500	2jjsdipk.bat	57
PID 2844 wrote to memory of 2240	2844	cmd.exe	60
PID 2844 wrote to memory of 2240	2844	cmd.exe	60
PID 2844 wrote to memory of 2240	2844	cmd.exe	60
PID 2844 wrote to memory of 1936	2844	cmd.exe	61
PID 2844 wrote to memory of 1936	2844	cmd.exe	61
PID 2844 wrote to memory of 1936	2844	cmd.exe	61
PID 2844 wrote to memory of 2212	2844	cmd.exe	62

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2240	attrib.exe
2608	attrib.exe
552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:2860
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:2520
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:2648
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:2412
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\sc.exe
    sc stop XblGameSave
    3⤵
    - Launches sc.exe
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\2jjsdipk.bat
  "C:\Users\Admin\AppData\Local\Temp\2jjsdipk.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1632
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:1848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:372
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:556
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    PID:1504
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:1060
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    PID:1036
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:2900
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    PID:2320
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2892
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:2392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    PID:1488
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:2004
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:2324
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19a70fd9-a9b5-441d-bb45-120a84b8afbb.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe"
    3⤵
    - Views/modifies file attributes
    PID:2240
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1936
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2212
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\c39fe1fb7fc5332da7e96d8c358c5980_NeikiAnalytics.exe"
    3⤵
    - Views/modifies file attributes
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\19a70fd9-a9b5-441d-bb45-120a84b8afbb.bat"
    3⤵
    - Views/modifies file attributes
    PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19a70fd9-a9b5-441d-bb45-120a84b8afbb.bat

Filesize
708B

MD5
db30341870a5322990b5ebafba0c231a

SHA1
a1fd5ad6b935f811355cf27877afcda8c502d75c

SHA256
f7f3aaa5b48c7f46bd5bea3c9fec132c18cc357a25c49496d4f987681d6f2355

SHA512
0121814baa2fb7132f80f899e965ff6976d32f9e481a349011faae2e8232ffebaf94932fbf549c8f041ca8622f7b2f5847a6070f4b7a2bec3a1f2e5bc79da11b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUTBKN3XE5IC2EIJ8JWR.temp

Filesize
7KB

MD5
70376a342cba40b78fe7ef417e185f15

SHA1
c9168e83d8ca8c85ee6ec59b6f192b88cbb106ec

SHA256
8e765e7af39808ce01383044bc588f5e1f7dcb11a96d5cfec183425044239a76

SHA512
a1b7cb13458dec524545891059a0bfcfbfb565372a24c270bc63e5a4ff0387bc85c2bdd14bf284abe2278e720da077f7aed6f6a9a91305e954ea4f22e231d17a

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
190B

MD5
e69f15ac6b96f369caf2f8d127c5109f

SHA1
6b25a7db606c1e07d8d5886959e66c2a41121d78

SHA256
cca20b5ffd4ebbdb46ca1bfe6caea398585b9f40ffcaac3f718cdbb136406b87

SHA512
3ec78e35858129a43841d2f53913434179602925724a7d608f13e71d5f2dc0e5c5407d24f05617fc8920099d7c5d194a0611ab8acc61af9d3d94b40dc11621aa

Download Submit
\Users\Admin\AppData\Local\Temp\2jjsdipk.bat

Filesize
293KB

MD5
129d8246b650347c1d123d03df31ddeb

SHA1
40b9a6968f4be0cb5ad489dbd8a3fe1f3f452fcc

SHA256
bcd88ad371f44a276b88d4b1f2010ad38cc8bbe378fe5ba48e8271a36206ffaf

SHA512
f683f4175cb84dd1b4179d7312cd7516b403ac03178f04b185707742fac03b7f4f33fa29f5d9391d1af32e9ba2a6063f45b9a5fa2e325eef5670beb9f33e60b5

Download Submit
memory/1532-29-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1532-28-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2356-35-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2356-36-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2500-14-0x000000013F860000-0x000000013F89E000-memory.dmp

Filesize
248KB

Download
memory/2936-18-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2936-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/2936-1-0x000000013FC70000-0x000000013FCAE000-memory.dmp

Filesize
248KB

Download