Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 01:27
Behavioral task
behavioral1
Sample
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe
-
Size
1.4MB
-
MD5
4bec34d79d2e920bf234f4836b54a5f0
-
SHA1
cc0cbb5240d0647f4e1ce31297c9be3dda6ff63e
-
SHA256
845318e1a65284778f53efd4f5d611e41dfe11138432d7e266e5568595d4f920
-
SHA512
0889b8a31da1da823438da8e747ed87acd54d6806519a5723328f3968ca6cb205953598dc84a58ab602d16c2e657aed3f6fd95355e797dc2e23bbfd3940ac862
-
SSDEEP
24576:sb0k+mAJhhjPadFWlFCj1braPSoSnj9w5pi2E4hsc9yhh8mtffogLrsyp:vk+Bh2LWlIlJO5U2B9u9fuy
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2676 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2568 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1756-1-0x00000000000B0000-0x0000000000218000-memory.dmp dcrat C:\Program Files\Mozilla Firefox\winlogon.exe dcrat behavioral1/memory/2488-20-0x00000000011D0000-0x0000000001338000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 2488 winlogon.exe -
Drops file in Program Files directory 5 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Mozilla Firefox\winlogon.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\cc11b995f2a76d 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\f01025d4a56fcb 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2932 schtasks.exe 2208 schtasks.exe 2500 schtasks.exe 2676 schtasks.exe 2636 schtasks.exe 2404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exewinlogon.exepid process 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe 2488 winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winlogon.exepid process 2488 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exewinlogon.exedescription pid process Token: SeDebugPrivilege 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe Token: SeDebugPrivilege 2488 winlogon.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exedescription pid process target process PID 1756 wrote to memory of 2488 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe winlogon.exe PID 1756 wrote to memory of 2488 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe winlogon.exe PID 1756 wrote to memory of 2488 1756 4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe winlogon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Program Files\Mozilla Firefox\winlogon.exe"C:\Program Files\Mozilla Firefox\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics4" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe'" /f1⤵
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics4" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\4bec34d79d2e920bf234f4836b54a5f0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD54bec34d79d2e920bf234f4836b54a5f0
SHA1cc0cbb5240d0647f4e1ce31297c9be3dda6ff63e
SHA256845318e1a65284778f53efd4f5d611e41dfe11138432d7e266e5568595d4f920
SHA5120889b8a31da1da823438da8e747ed87acd54d6806519a5723328f3968ca6cb205953598dc84a58ab602d16c2e657aed3f6fd95355e797dc2e23bbfd3940ac862