Analysis
-
max time kernel
94s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 05:56
Behavioral task
behavioral1
Sample
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
8cdae0ef9f7f5ab79ec5671644e1a0f0
-
SHA1
dfae9279327bb5658e9d95daae768bfaf4dca42f
-
SHA256
e4c8b1c4527c76289bb4247f0a02d3dd85545bdc59530f005941455d05826aed
-
SHA512
828146a24cc9ddac7e6e4f80df37356cbaf1bf93be1540b9cc3c5e49c7a46ef49f74ef48ba23998b5c388575aa792cc3f43043aadb15ff5b21eff841f49171f6
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OfficeClickToRun.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1480 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4964 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3616 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2496 schtasks.exe -
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedllhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/2788-1-0x0000000000080000-0x0000000000340000-memory.dmp dcrat C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 1936 dllhost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Google\\CrashReports\\OfficeClickToRun.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Google\\CrashReports\\OfficeClickToRun.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Mail\\fontdrvhost.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\"" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Processes:
dllhost.exe8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Drops file in Program Files directory 8 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\fontdrvhost.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\fontdrvhost.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Mail\5b884080fd4f94 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\CrashReports\e6c9b481da804f 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Mail\RCX5E8C.tmp 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\RCX66CD.tmp 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2636 schtasks.exe 4964 schtasks.exe 5092 schtasks.exe 3616 schtasks.exe 560 schtasks.exe 2316 schtasks.exe 4580 schtasks.exe 1444 schtasks.exe 4720 schtasks.exe 1916 schtasks.exe 4192 schtasks.exe 2128 schtasks.exe 1816 schtasks.exe 1480 schtasks.exe 2224 schtasks.exe 3448 schtasks.exe 5020 schtasks.exe 4472 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exepowershell.exedllhost.exepid process 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe 1428 powershell.exe 1428 powershell.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe 1936 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exepowershell.exedllhost.exedescription pid process Token: SeDebugPrivilege 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1936 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.execmd.exedescription pid process target process PID 2788 wrote to memory of 1428 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe powershell.exe PID 2788 wrote to memory of 1428 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe powershell.exe PID 2788 wrote to memory of 4884 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe cmd.exe PID 2788 wrote to memory of 4884 2788 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe cmd.exe PID 4884 wrote to memory of 3596 4884 cmd.exe w32tm.exe PID 4884 wrote to memory of 3596 4884 cmd.exe w32tm.exe PID 4884 wrote to memory of 1936 4884 cmd.exe dllhost.exe PID 4884 wrote to memory of 1936 4884 cmd.exe dllhost.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
dllhost.exe8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8cdae0ef9f7f5ab79ec5671644e1a0f0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\90VwfBYSCa.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:3596
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1936
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD58cdae0ef9f7f5ab79ec5671644e1a0f0
SHA1dfae9279327bb5658e9d95daae768bfaf4dca42f
SHA256e4c8b1c4527c76289bb4247f0a02d3dd85545bdc59530f005941455d05826aed
SHA512828146a24cc9ddac7e6e4f80df37356cbaf1bf93be1540b9cc3c5e49c7a46ef49f74ef48ba23998b5c388575aa792cc3f43043aadb15ff5b21eff841f49171f6
-
Filesize
198B
MD56c8b46f0687c544f6fbba92af4fa5290
SHA1ad16b70110768a20cf7e7e00bf9a6c28d03b7474
SHA256ac613ccce7765d79a89905d6d2210dedf05f5ed369f2da2c2840ae5dacfbe48f
SHA51270e2644a607f36f0b86a358e00020ae934b39cc1313f54c1dfbdeba1bcef4f98c3a4925fe06e1b21beecf4ce8c91e632f1e9d7b5668230ff111517b3d8bb5b54
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82