Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 12:22
Behavioral task
behavioral1
Sample
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
c63f74bf817cee682824dd46e4ce6f20
-
SHA1
99e866bcfca39a4273f13795799d1f4d3bd06641
-
SHA256
8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
-
SHA512
aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2804 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 2804 schtasks.exe -
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/2432-1-0x0000000000820000-0x0000000000AE0000-memory.dmp dcrat C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe dcrat behavioral1/memory/2204-76-0x0000000000110000-0x00000000003D0000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 2204 winlogon.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exewinlogon.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in Program Files directory 16 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\fr-FR\f3b6ecef712a24 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\es-ES\winlogon.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2D59.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\Idle.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\Idle.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCX2B55.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files\Windows Defender\es-ES\cc11b995f2a76d c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2F5D.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\es-ES\RCX31CE.tmp c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Defender\es-ES\winlogon.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\101b941d020240 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2620 schtasks.exe 2516 schtasks.exe 1736 schtasks.exe 2532 schtasks.exe 2528 schtasks.exe 2572 schtasks.exe 2972 schtasks.exe 2164 schtasks.exe 1048 schtasks.exe 2688 schtasks.exe 2608 schtasks.exe 2856 schtasks.exe -
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 winlogon.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exepowershell.exewinlogon.exepid process 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe 2228 powershell.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe 2204 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exepowershell.exewinlogon.exedescription pid process Token: SeDebugPrivilege 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2204 winlogon.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exedescription pid process target process PID 2432 wrote to memory of 2228 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe powershell.exe PID 2432 wrote to memory of 2228 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe powershell.exe PID 2432 wrote to memory of 2228 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe powershell.exe PID 2432 wrote to memory of 2204 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe winlogon.exe PID 2432 wrote to memory of 2204 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe winlogon.exe PID 2432 wrote to memory of 2204 2432 c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe winlogon.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exewinlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Program Files\Windows Defender\es-ES\winlogon.exe"C:\Program Files\Windows Defender\es-ES\winlogon.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2204
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c63f74bf817cee682824dd46e4ce6f20
SHA199e866bcfca39a4273f13795799d1f4d3bd06641
SHA2568b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
SHA512aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7