Analysis

  • max time kernel
    91s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 12:22

General

  • Target

    c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe

  • Size

    2.7MB

  • MD5

    c63f74bf817cee682824dd46e4ce6f20

  • SHA1

    99e866bcfca39a4273f13795799d1f4d3bd06641

  • SHA256

    8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da

  • SHA512

    aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7

  • SSDEEP

    49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3360
        • C:\Windows\Performance\WinSAT\Registry.exe
          "C:\Windows\Performance\WinSAT\Registry.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4072
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:892
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2828
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3724
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:448
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4140
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3684
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1344
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4856
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:8
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2212
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4736
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3252
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:840
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:64
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4436
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\WindowsRE\RuntimeBroker.exe

      Filesize

      2.7MB

      MD5

      d5baab26ae15834ba3052bb01795d754

      SHA1

      a78b1ab5afbdcdaa568b03ef38713423acbdc8d4

      SHA256

      c71b8dbef4a28c306c4217d570ca32bfc0a18b5d1180889ea46323eecddfe551

      SHA512

      c7612dc866acff8f31ede2f4a1dbea6c97cc3b15f259a0c5b90a8aed26098806429351d37de5fba0ae5f1a5d6e787a96aeb71b3d00f927b770f0c785673579db

    • C:\Recovery\WindowsRE\RuntimeBroker.exe

      Filesize

      2.7MB

      MD5

      c63f74bf817cee682824dd46e4ce6f20

      SHA1

      99e866bcfca39a4273f13795799d1f4d3bd06641

      SHA256

      8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da

      SHA512

      aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7

    • C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat

      Filesize

      207B

      MD5

      7b2a9413aa466d4e1e7f42f13903b327

      SHA1

      aa6bb5abb9f9267069245bd64664f3f1f2609fab

      SHA256

      ade218a15f6c46ee24ebbf565f2c2e38ad77b1395b7cf1b8f63630d94cbc208f

      SHA512

      520942ff6dea181e1d177b50b482d00205b3b475a4469848e3b6ccec6dd951beb4f4a0a896c24b19f14a1a72cf51fa24bfd397a68e1220c203bf6aecba81d5d3

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beqfi0og.ki3.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/888-134-0x000002043B370000-0x000002043B392000-memory.dmp

      Filesize

      136KB

    • memory/940-16-0x000000001BF00000-0x000000001BF0C000-memory.dmp

      Filesize

      48KB

    • memory/940-20-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

      Filesize

      32KB

    • memory/940-7-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

      Filesize

      64KB

    • memory/940-9-0x0000000002D00000-0x0000000002D08000-memory.dmp

      Filesize

      32KB

    • memory/940-10-0x0000000002D40000-0x0000000002D48000-memory.dmp

      Filesize

      32KB

    • memory/940-11-0x0000000002D50000-0x0000000002D60000-memory.dmp

      Filesize

      64KB

    • memory/940-8-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

      Filesize

      88KB

    • memory/940-12-0x0000000002D10000-0x0000000002D1A000-memory.dmp

      Filesize

      40KB

    • memory/940-13-0x000000001BEB0000-0x000000001BF06000-memory.dmp

      Filesize

      344KB

    • memory/940-14-0x0000000002D30000-0x0000000002D38000-memory.dmp

      Filesize

      32KB

    • memory/940-15-0x0000000002D60000-0x0000000002D68000-memory.dmp

      Filesize

      32KB

    • memory/940-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

      Filesize

      8KB

    • memory/940-17-0x000000001BF10000-0x000000001BF18000-memory.dmp

      Filesize

      32KB

    • memory/940-18-0x000000001BF20000-0x000000001BF2C000-memory.dmp

      Filesize

      48KB

    • memory/940-19-0x000000001BF30000-0x000000001BF3C000-memory.dmp

      Filesize

      48KB

    • memory/940-6-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

      Filesize

      32KB

    • memory/940-21-0x000000001C140000-0x000000001C148000-memory.dmp

      Filesize

      32KB

    • memory/940-23-0x000000001C160000-0x000000001C16C000-memory.dmp

      Filesize

      48KB

    • memory/940-22-0x000000001C150000-0x000000001C15C000-memory.dmp

      Filesize

      48KB

    • memory/940-24-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

      Filesize

      32KB

    • memory/940-26-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

      Filesize

      48KB

    • memory/940-27-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

      Filesize

      10.8MB

    • memory/940-25-0x000000001C1D0000-0x000000001C1DA000-memory.dmp

      Filesize

      40KB

    • memory/940-30-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

      Filesize

      10.8MB

    • memory/940-5-0x000000001B850000-0x000000001B8A0000-memory.dmp

      Filesize

      320KB

    • memory/940-4-0x00000000014B0000-0x00000000014CC000-memory.dmp

      Filesize

      112KB

    • memory/940-3-0x00000000014A0000-0x00000000014A8000-memory.dmp

      Filesize

      32KB

    • memory/940-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

      Filesize

      10.8MB

    • memory/940-146-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

      Filesize

      10.8MB

    • memory/940-1-0x00000000008C0000-0x0000000000B80000-memory.dmp

      Filesize

      2.8MB