Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 02:40

General

  • Target

    5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe

  • Size

    952KB

  • MD5

    5c8aee7bbd1b09e31178be12bc847c30

  • SHA1

    5cc34074f6c74cb0cbb3d282e9360a2d2eace451

  • SHA256

    e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176

  • SHA512

    199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b

  • SSDEEP

    24576:W+O7F9smBDJwWmIezBLwsHuWbxR4AK5ZJXX:x8/KfRTK

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 6 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1624
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vM0j4Io8uK.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2312
        • C:\Windows\System32\wkssvc\winlogon.exe
          "C:\Windows\System32\wkssvc\winlogon.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:3396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4956
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4324
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wkssvc\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Windows Multimedia Platform\services.exe

      Filesize

      952KB

      MD5

      abbd2e2a8e9e0261a691954549ae61f6

      SHA1

      83356ed1b70c648a572021c64b3886f159a5c372

      SHA256

      471d881f51a97441cf1e2c6b7eadef7b7f6529f39b21727063e6d251bfebdac2

      SHA512

      5ee1947cc142647cca1530b9f32eefe83fcdffa383c68abcd5509f2f35c5e561479a2db9722ebaaa805c346c8fc7e64d9dc92a8bc65119d51ed482ffb14f9cbe

    • C:\Users\Admin\AppData\Local\Temp\vM0j4Io8uK.bat

      Filesize

      203B

      MD5

      a18b9913edabe9e46862fbc4cfb905da

      SHA1

      223c385ab83c5532cb5e0c4b47688802e91d8bd1

      SHA256

      6c11edd23a73a838900925a7c13cc91b65cbb29d5e462fd11baf529983b8a5d1

      SHA512

      69cd45ad5d89d98f49ef91d12900a6cb41a79a7f7bd07add7d405378c8b20b3e1d219524ad83dae7ae68dc312b2dcf11a911a8c2e51f0c235efd782a216e9284

    • C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe

      Filesize

      952KB

      MD5

      d8729f973371760712beda1965bf0520

      SHA1

      8f1855c5f8ac1febe24f6af3da2b7d6ac4817670

      SHA256

      871cfcee83562d01ae83a617737d99f8c72d8b8894d45f914bb230c952175557

      SHA512

      9190c2e5933ad9a5af8264ef110560b0ebe6e9ba091a76555afec811c980fb2dc6649902e4b4bf909c676654b1b0fdd06b28535395c5c4bcc02109a4986ad57f

    • C:\Windows\System32\wkssvc\winlogon.exe

      Filesize

      952KB

      MD5

      5c8aee7bbd1b09e31178be12bc847c30

      SHA1

      5cc34074f6c74cb0cbb3d282e9360a2d2eace451

      SHA256

      e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176

      SHA512

      199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b

    • C:\Windows\System32\wkssvc\winlogon.exe

      Filesize

      952KB

      MD5

      69281edf3c1d6fd7af854b470c68e4dd

      SHA1

      d9d55602bc3e1dbebc4ebe1b0bd28935729f7ed3

      SHA256

      d8cc455a42e5f056431b1db5582d0452983a67ebdadce42f3c05feb3d7b32421

      SHA512

      51883a5bdf9f334642491ee1e14adbe8de6384365536ae015582df9d644fcd29f3a11864287f373927f89211d67fa45cb4c90870fc6a6f01ba19e290f902b5e1

    • memory/1624-4-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

      Filesize

      64KB

    • memory/1624-7-0x0000000001050000-0x000000000105A000-memory.dmp

      Filesize

      40KB

    • memory/1624-5-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

      Filesize

      40KB

    • memory/1624-10-0x0000000001070000-0x000000000107C000-memory.dmp

      Filesize

      48KB

    • memory/1624-11-0x0000000001080000-0x000000000108C000-memory.dmp

      Filesize

      48KB

    • memory/1624-9-0x0000000001060000-0x000000000106A000-memory.dmp

      Filesize

      40KB

    • memory/1624-8-0x0000000001040000-0x0000000001048000-memory.dmp

      Filesize

      32KB

    • memory/1624-6-0x0000000001000000-0x000000000100C000-memory.dmp

      Filesize

      48KB

    • memory/1624-1-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

      Filesize

      8KB

    • memory/1624-3-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

      Filesize

      64KB

    • memory/1624-2-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

      Filesize

      10.8MB

    • memory/1624-103-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

      Filesize

      10.8MB

    • memory/1624-0-0x0000000000730000-0x0000000000824000-memory.dmp

      Filesize

      976KB

    • memory/3396-108-0x00000000009D0000-0x0000000000AC4000-memory.dmp

      Filesize

      976KB