Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-pjy3bsfd79
Target c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics
SHA256 8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
Tags
rat dcrat evasion execution infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da

Threat Level: Known bad

The file c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer persistence trojan

Dcrat family

DcRat

DCRat payload

Modifies WinLogon for persistence

UAC bypass

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 12:22

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 12:22

Reported

2024-05-14 12:24

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Defender\\es-ES\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\VideoLAN\\VLC\\hrtfs\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\fr-FR\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Defender\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX2D59.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\Idle.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\Idle.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\RCX2B55.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files\Windows Defender\es-ES\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX2F5D.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\RCX31CE.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\winlogon.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\101b941d020240 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Defender\es-ES\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Program Files\Windows Defender\es-ES\winlogon.exe

"C:\Program Files\Windows Defender\es-ES\winlogon.exe"

Network

Country Destination Domain Proto
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp

Files

memory/2432-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/2432-1-0x0000000000820000-0x0000000000AE0000-memory.dmp

memory/2432-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-3-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/2432-4-0x00000000004D0000-0x00000000004EC000-memory.dmp

memory/2432-5-0x0000000000790000-0x0000000000798000-memory.dmp

memory/2432-6-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/2432-8-0x00000000007D0000-0x00000000007D8000-memory.dmp

memory/2432-7-0x00000000007B0000-0x00000000007C6000-memory.dmp

memory/2432-9-0x00000000007E0000-0x00000000007E8000-memory.dmp

memory/2432-10-0x00000000007F0000-0x0000000000800000-memory.dmp

memory/2432-11-0x0000000000800000-0x000000000080A000-memory.dmp

memory/2432-12-0x000000001A920000-0x000000001A976000-memory.dmp

memory/2432-13-0x0000000000810000-0x0000000000818000-memory.dmp

memory/2432-14-0x0000000002270000-0x0000000002278000-memory.dmp

memory/2432-15-0x0000000002280000-0x000000000228C000-memory.dmp

memory/2432-16-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2432-17-0x00000000022A0000-0x00000000022AC000-memory.dmp

memory/2432-18-0x000000001A970000-0x000000001A97C000-memory.dmp

memory/2432-19-0x000000001AD50000-0x000000001AD58000-memory.dmp

memory/2432-22-0x000000001AD80000-0x000000001AD8C000-memory.dmp

memory/2432-21-0x000000001AD70000-0x000000001AD7C000-memory.dmp

memory/2432-20-0x000000001AD60000-0x000000001AD68000-memory.dmp

memory/2432-24-0x000000001AEA0000-0x000000001AEAA000-memory.dmp

memory/2432-23-0x000000001AD90000-0x000000001AD98000-memory.dmp

memory/2432-25-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

memory/2432-26-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Program Files\VideoLAN\VLC\hrtfs\lsm.exe

MD5 c63f74bf817cee682824dd46e4ce6f20
SHA1 99e866bcfca39a4273f13795799d1f4d3bd06641
SHA256 8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
SHA512 aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7

memory/2228-75-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2432-77-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2204-76-0x0000000000110000-0x00000000003D0000-memory.dmp

memory/2228-78-0x0000000002790000-0x0000000002798000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 12:22

Reported

2024-05-14 12:24

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\", \"C:\\Users\\Public\\Music\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\WinSAT\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\upfc.exe\", \"C:\\Windows\\bcastdvr\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\L2Schemas\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\", \"C:\\Users\\Public\\Music\\upfc.exe\", \"C:\\Users\\Public\\AccountPictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Portable Devices\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\L2Schemas\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Music\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\AccountPictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Performance\\WinSAT\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Recovery\\WindowsRE\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\L2Schemas\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Public\\AccountPictures\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\bcastdvr\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Music\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Performance\WinSAT\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX5AA8.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5CFB.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\RCX6171.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\RCX5F6D.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\Performance\WinSAT\Registry.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\L2Schemas\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\bcastdvr\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\L2Schemas\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\RCX63F3.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Sun\Java\Deployment\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\Registry.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\dllhost.exe C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\RCX5005.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\bcastdvr\RCX542E.tmp C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\Performance\WinSAT\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
File created C:\Windows\Sun\Java\Deployment\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A
N/A N/A C:\Windows\Performance\WinSAT\Registry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\WinSAT\Registry.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Performance\WinSAT\Registry.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c63f74bf817cee682824dd46e4ce6f20_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\WinSAT\Registry.exe

"C:\Windows\Performance\WinSAT\Registry.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.96:443 www.bing.com tcp
US 8.8.8.8:53 96.61.62.23.in-addr.arpa udp
RU 94.250.255.250:80 94.250.255.250 tcp
RU 94.250.255.250:443 tcp
RU 94.250.255.250:443 tcp
US 8.8.8.8:53 250.255.250.94.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp

Files

memory/940-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

memory/940-1-0x00000000008C0000-0x0000000000B80000-memory.dmp

memory/940-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/940-3-0x00000000014A0000-0x00000000014A8000-memory.dmp

memory/940-4-0x00000000014B0000-0x00000000014CC000-memory.dmp

memory/940-5-0x000000001B850000-0x000000001B8A0000-memory.dmp

memory/940-6-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

memory/940-7-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/940-9-0x0000000002D00000-0x0000000002D08000-memory.dmp

memory/940-10-0x0000000002D40000-0x0000000002D48000-memory.dmp

memory/940-11-0x0000000002D50000-0x0000000002D60000-memory.dmp

memory/940-8-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

memory/940-12-0x0000000002D10000-0x0000000002D1A000-memory.dmp

memory/940-13-0x000000001BEB0000-0x000000001BF06000-memory.dmp

memory/940-14-0x0000000002D30000-0x0000000002D38000-memory.dmp

memory/940-15-0x0000000002D60000-0x0000000002D68000-memory.dmp

memory/940-16-0x000000001BF00000-0x000000001BF0C000-memory.dmp

memory/940-17-0x000000001BF10000-0x000000001BF18000-memory.dmp

memory/940-18-0x000000001BF20000-0x000000001BF2C000-memory.dmp

memory/940-19-0x000000001BF30000-0x000000001BF3C000-memory.dmp

memory/940-20-0x000000001C1B0000-0x000000001C1B8000-memory.dmp

memory/940-21-0x000000001C140000-0x000000001C148000-memory.dmp

memory/940-23-0x000000001C160000-0x000000001C16C000-memory.dmp

memory/940-22-0x000000001C150000-0x000000001C15C000-memory.dmp

memory/940-24-0x000000001C1C0000-0x000000001C1C8000-memory.dmp

memory/940-26-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

memory/940-27-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

memory/940-25-0x000000001C1D0000-0x000000001C1DA000-memory.dmp

memory/940-30-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 c63f74bf817cee682824dd46e4ce6f20
SHA1 99e866bcfca39a4273f13795799d1f4d3bd06641
SHA256 8b4a898c3d88a3e0cafea621e85a524fb74786d20ea94ac29c042506e91474da
SHA512 aaeebb5f2ca208d1b89da51e0baa412a1275cb5d809636556dbbd861e0720bd903a6e844c583334a2c267f51885465d32da62a2096bf49c8422d7e8fa87f1ee7

C:\Recovery\WindowsRE\RuntimeBroker.exe

MD5 d5baab26ae15834ba3052bb01795d754
SHA1 a78b1ab5afbdcdaa568b03ef38713423acbdc8d4
SHA256 c71b8dbef4a28c306c4217d570ca32bfc0a18b5d1180889ea46323eecddfe551
SHA512 c7612dc866acff8f31ede2f4a1dbea6c97cc3b15f259a0c5b90a8aed26098806429351d37de5fba0ae5f1a5d6e787a96aeb71b3d00f927b770f0c785673579db

memory/888-134-0x000002043B370000-0x000002043B392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beqfi0og.ki3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/940-146-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6UXRAQMNZZ.bat

MD5 7b2a9413aa466d4e1e7f42f13903b327
SHA1 aa6bb5abb9f9267069245bd64664f3f1f2609fab
SHA256 ade218a15f6c46ee24ebbf565f2c2e38ad77b1395b7cf1b8f63630d94cbc208f
SHA512 520942ff6dea181e1d177b50b482d00205b3b475a4469848e3b6ccec6dd951beb4f4a0a896c24b19f14a1a72cf51fa24bfd397a68e1220c203bf6aecba81d5d3