Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 03:55
Behavioral task
behavioral1
Sample
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
6fa32b421f0866b58f05526f85b6d590
-
SHA1
fb2463e84c81171c07f1cd6f4b661231cc6e01c2
-
SHA256
f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
-
SHA512
e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 9 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\", \"C:\\Users\\Admin\\AppData\\audiodg.exe\", \"C:\\Windows\\Fonts\\System.exe\", \"C:\\Program Files\\Windows Sidebar\\dllhost.exe\", \"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\", \"C:\\Users\\Public\\Downloads\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1828 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 756 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1284 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2716 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2716 schtasks.exe -
Processes:
explorer.exe6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/2188-1-0x00000000009A0000-0x0000000000C60000-memory.dmp dcrat C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe dcrat behavioral1/memory/3064-119-0x0000000001370000-0x0000000001630000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 3064 explorer.exe -
Adds Run key to start application 2 TTPs 18 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\sppsvc.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Downloads\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Downloads\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\AppData\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Admin\\AppData\\audiodg.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\dllhost.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Mozilla Firefox\\browser\\features\\services.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Fonts\\System.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Music\\Sample Music\\explorer.exe\"" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in Program Files directory 8 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\features\services.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\browser\features\c5b4cb5e9653cc 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\dllhost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\5940a34987c991 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\RCX1CC8.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\services.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\RCX2544.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\dllhost.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process File created C:\Windows\Fonts\27d1bcfc3c54e0 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX22D3.tmp 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\System.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe File created C:\Windows\Fonts\System.exe 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2736 schtasks.exe 2652 schtasks.exe 2764 schtasks.exe 1740 schtasks.exe 2112 schtasks.exe 756 schtasks.exe 2496 schtasks.exe 2292 schtasks.exe 2640 schtasks.exe 2408 schtasks.exe 1968 schtasks.exe 1748 schtasks.exe 2576 schtasks.exe 1608 schtasks.exe 1284 schtasks.exe 2600 schtasks.exe 2788 schtasks.exe 1248 schtasks.exe 2244 schtasks.exe 1828 schtasks.exe 1684 schtasks.exe 804 schtasks.exe 1136 schtasks.exe 2548 schtasks.exe 2400 schtasks.exe 1420 schtasks.exe 2616 schtasks.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exepowershell.exeexplorer.exepid process 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe 836 powershell.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exepowershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 3064 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription pid process target process PID 2188 wrote to memory of 836 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe powershell.exe PID 2188 wrote to memory of 836 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe powershell.exe PID 2188 wrote to memory of 836 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe powershell.exe PID 2188 wrote to memory of 3064 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe explorer.exe PID 2188 wrote to memory of 3064 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe explorer.exe PID 2188 wrote to memory of 3064 2188 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe explorer.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
explorer.exe6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Users\Public\Music\Sample Music\explorer.exe"C:\Users\Public\Music\Sample Music\explorer.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3064
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Downloads\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics6" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics6" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\AppData\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\6fa32b421f0866b58f05526f85b6d590_NeikiAnalytics.exe
Filesize2.7MB
MD56fa32b421f0866b58f05526f85b6d590
SHA1fb2463e84c81171c07f1cd6f4b661231cc6e01c2
SHA256f3227b8dbb23c0388c1c761da0751316e0963dac4e15ed1a62c92a8a2d0a4601
SHA512e74839e7e6b7e7c3c78e658878f86813c1470d881110c0b2ee96e859dd9f9dccb89561d83aafbafdbf682eafbb40e92cc129aa489f067dc94861113109d7dd45