Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-c6c26afg6w
Target 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics
SHA256 e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176

Threat Level: Known bad

The file 5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

Dcrat family

DCRat payload

DcRat

UAC bypass

Modifies WinLogon for persistence

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

System policy modification

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 02:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 02:40

Reported

2024-05-14 02:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\", \"C:\\Windows\\System32\\mfc120fra\\lsm.exe\", \"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\", \"C:\\Windows\\System32\\mfc140esn\\winlogon.exe\", \"C:\\Windows\\System32\\ieUnatt\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\", \"C:\\Windows\\System32\\mfc120fra\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\", \"C:\\Windows\\System32\\mfc120fra\\lsm.exe\", \"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\", \"C:\\Windows\\System32\\mfc120fra\\lsm.exe\", \"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\", \"C:\\Windows\\System32\\mfc140esn\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\", \"C:\\Windows\\System32\\w32tm\\taskhost.exe\", \"C:\\Windows\\System32\\mfc120fra\\lsm.exe\", \"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\", \"C:\\Windows\\System32\\mfc140esn\\winlogon.exe\", \"C:\\Windows\\System32\\ieUnatt\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\w32tm\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc110kor\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc140esn\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\w32tm\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\mfc120fra\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\mfc120fra\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\mfc140esn\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\ieUnatt\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\ieUnatt\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\ieUnatt\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\ieUnatt\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc120fra\RCX3D27.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\ieUnatt\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc110kor\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc110kor\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc120fra\101b941d020240259ca4912829b53995ad543df6 C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\w32tm\b75386f1303e64d8139363b71e44ac16341adf4e C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\w32tm\RCX3AB4.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc110kor\RCX3F3A.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\w32tm\taskhost.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc140esn\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\w32tm\taskhost.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc120fra\RCX3CB8.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\w32tm\RCX3AB5.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc140esn\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\ieUnatt\RCX4344.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc140esn\RCX413F.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc140esn\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc140esn\RCX4140.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\ieUnatt\RCX4345.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc110kor\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc120fra\lsm.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\mfc110kor\RCX3F3B.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\mfc120fra\lsm.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\w32tm\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\mfc120fra\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\mfc110kor\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\mfc140esn\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\ieUnatt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe

"C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\taskhost.exe"

Network

Country Destination Domain Proto
RU 37.230.117.59:80 37.230.117.59 tcp

Files

memory/2196-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

memory/2196-1-0x0000000000D40000-0x0000000000E34000-memory.dmp

memory/2196-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/2196-3-0x0000000000140000-0x0000000000150000-memory.dmp

memory/2196-4-0x0000000000360000-0x0000000000370000-memory.dmp

memory/2196-5-0x0000000000350000-0x000000000035A000-memory.dmp

memory/2196-6-0x0000000000390000-0x000000000039C000-memory.dmp

memory/2196-7-0x0000000000470000-0x000000000047A000-memory.dmp

memory/2196-8-0x0000000000430000-0x0000000000438000-memory.dmp

memory/2196-11-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2196-10-0x0000000000450000-0x000000000045C000-memory.dmp

memory/2196-9-0x0000000000440000-0x000000000044A000-memory.dmp

C:\Windows\System32\mfc140esn\winlogon.exe

MD5 5c8aee7bbd1b09e31178be12bc847c30
SHA1 5cc34074f6c74cb0cbb3d282e9360a2d2eace451
SHA256 e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176
SHA512 199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b

C:\Windows\System32\mfc120fra\lsm.exe

MD5 c6829961b8b15e4e72a427292dc1ca03
SHA1 b0b49297d0d2147d48e8c00ef8322db4b06489a4
SHA256 050ad1735814338e79e711ca13e66430a109167821f04dd31b916c701b9163e0
SHA512 5b74543ae0245370bc89c167652630d2a2e264544df4ea6eb7b209cbcc364ccb4e6b2fb773bc113333eeb7783a107b537bb11af3f7526ae1722eae8b1a08f4cd

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe

MD5 39502141a6598bb1fa71d5a0e6de504d
SHA1 67e1947e0bca927ad2f9c709d6777f0adc277199
SHA256 9aa56a80084cc26e2a3669bde92dcde0ac3e0308de473b2f1db10679beb05c64
SHA512 8eea5032ac7f7fee62879ee9e0e17bfcbf51626b2a87b621009bc8654246083383aaa7ec2c1b793ebc8a5b76842c10459c14d1916e84aba9e508a4542c41a2a8

memory/2196-120-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

memory/1856-119-0x0000000000DA0000-0x0000000000E94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 02:40

Reported

2024-05-14 02:43

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\", \"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\services.exe\", \"C:\\Windows\\System32\\wkssvc\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\wkssvc\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\CourtesyEngine\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Multimedia Platform\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\wkssvc\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\wkssvc\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\wkssvc\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\CourtesyEngine\RCX4C6C.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\wkssvc\winlogon.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\CourtesyEngine\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Windows\System32\wkssvc\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\CourtesyEngine\RCX4CDB.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\wkssvc\RCX55CB.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\wkssvc\RCX5639.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5358.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\services.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX50E5.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCX50E6.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\e6c9b481da804f07baff8eff543b0a1441069b5d C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\RCX4EDF.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\services.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Multimedia Platform\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530fba3a93e87ae2225c7032aa18c1 C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\RCX4EE0.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RCX53C6.tmp C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wkssvc\winlogon.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\wkssvc\winlogon.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5c8aee7bbd1b09e31178be12bc847c30_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\wkssvc\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vM0j4Io8uK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\wkssvc\winlogon.exe

"C:\Windows\System32\wkssvc\winlogon.exe"

Network

Country Destination Domain Proto
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 37.230.117.59:80 37.230.117.59 tcp
US 8.8.8.8:53 59.117.230.37.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/1624-1-0x00007FFA75253000-0x00007FFA75255000-memory.dmp

memory/1624-0-0x0000000000730000-0x0000000000824000-memory.dmp

memory/1624-2-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

memory/1624-3-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

memory/1624-4-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

memory/1624-7-0x0000000001050000-0x000000000105A000-memory.dmp

memory/1624-6-0x0000000001000000-0x000000000100C000-memory.dmp

memory/1624-5-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

memory/1624-10-0x0000000001070000-0x000000000107C000-memory.dmp

memory/1624-11-0x0000000001080000-0x000000000108C000-memory.dmp

memory/1624-9-0x0000000001060000-0x000000000106A000-memory.dmp

memory/1624-8-0x0000000001040000-0x0000000001048000-memory.dmp

C:\Windows\System32\wkssvc\winlogon.exe

MD5 5c8aee7bbd1b09e31178be12bc847c30
SHA1 5cc34074f6c74cb0cbb3d282e9360a2d2eace451
SHA256 e97d9651c1df50e5eb6847b6dde990e9fab3504c245557b61df65215df6de176
SHA512 199f60f46d89bf3aadac7e2c67dbcdae716e3644b2db0c67e340cd55b47c78a1683acf27021850755d5ab66ee6850d3eba425e369604413b9897eb01f176ec2b

C:\Windows\System32\CourtesyEngine\RuntimeBroker.exe

MD5 d8729f973371760712beda1965bf0520
SHA1 8f1855c5f8ac1febe24f6af3da2b7d6ac4817670
SHA256 871cfcee83562d01ae83a617737d99f8c72d8b8894d45f914bb230c952175557
SHA512 9190c2e5933ad9a5af8264ef110560b0ebe6e9ba091a76555afec811c980fb2dc6649902e4b4bf909c676654b1b0fdd06b28535395c5c4bcc02109a4986ad57f

C:\Program Files\Windows Multimedia Platform\services.exe

MD5 abbd2e2a8e9e0261a691954549ae61f6
SHA1 83356ed1b70c648a572021c64b3886f159a5c372
SHA256 471d881f51a97441cf1e2c6b7eadef7b7f6529f39b21727063e6d251bfebdac2
SHA512 5ee1947cc142647cca1530b9f32eefe83fcdffa383c68abcd5509f2f35c5e561479a2db9722ebaaa805c346c8fc7e64d9dc92a8bc65119d51ed482ffb14f9cbe

C:\Windows\System32\wkssvc\winlogon.exe

MD5 69281edf3c1d6fd7af854b470c68e4dd
SHA1 d9d55602bc3e1dbebc4ebe1b0bd28935729f7ed3
SHA256 d8cc455a42e5f056431b1db5582d0452983a67ebdadce42f3c05feb3d7b32421
SHA512 51883a5bdf9f334642491ee1e14adbe8de6384365536ae015582df9d644fcd29f3a11864287f373927f89211d67fa45cb4c90870fc6a6f01ba19e290f902b5e1

memory/1624-103-0x00007FFA75250000-0x00007FFA75D11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vM0j4Io8uK.bat

MD5 a18b9913edabe9e46862fbc4cfb905da
SHA1 223c385ab83c5532cb5e0c4b47688802e91d8bd1
SHA256 6c11edd23a73a838900925a7c13cc91b65cbb29d5e462fd11baf529983b8a5d1
SHA512 69cd45ad5d89d98f49ef91d12900a6cb41a79a7f7bd07add7d405378c8b20b3e1d219524ad83dae7ae68dc312b2dcf11a911a8c2e51f0c235efd782a216e9284

memory/3396-108-0x00000000009D0000-0x0000000000AC4000-memory.dmp