Analysis
-
max time kernel
93s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 01:15
Behavioral task
behavioral1
Sample
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe
-
Size
3.1MB
-
MD5
5758f08ee8daacd956d144b547105710
-
SHA1
eb9a247be053dc3ffc9986add72c3c95b9a1dcd1
-
SHA256
fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c
-
SHA512
2cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24
-
SSDEEP
49152:LbX4Wu2bK/B8fKsJOfivj+8TeCUN0LhZxs2AbBT7VWernS5D+oCPgpifYulI2a:/4W9K/KTag9BUNWS7JnS5qoBifHva
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4700 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 724 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4884 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3196 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 8 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4808 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3876 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2776 schtasks.exe -
Processes:
fontdrvhost.exefontdrvhost.exe5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe -
Processes:
resource yara_rule behavioral2/memory/1116-1-0x0000000000A80000-0x0000000000DA0000-memory.dmp dcrat C:\Recovery\WindowsRE\dllhost.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1512 powershell.exe 3232 powershell.exe 704 powershell.exe 4936 powershell.exe 4312 powershell.exe 4612 powershell.exe 4836 powershell.exe 1424 powershell.exe 4684 powershell.exe 4280 powershell.exe 3444 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Executes dropped EXE 2 IoCs
Processes:
fontdrvhost.exefontdrvhost.exepid process 4812 fontdrvhost.exe 4228 fontdrvhost.exe -
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exefontdrvhost.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX718F.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe -
Drops file in Windows directory 8 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\TAPI\RCX6B04.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\TAPI\TextInputHost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\L2Schemas\RuntimeBroker.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\L2Schemas\9e8d7a4ca61bd9 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\TAPI\TextInputHost.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File created C:\Windows\TAPI\22eafd247d37c3 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RCX64F8.tmp 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe File opened for modification C:\Windows\L2Schemas\RuntimeBroker.exe 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3196 schtasks.exe 4856 schtasks.exe 2744 schtasks.exe 4696 schtasks.exe 4440 schtasks.exe 8 schtasks.exe 3876 schtasks.exe 4844 schtasks.exe 4036 schtasks.exe 3736 schtasks.exe 2528 schtasks.exe 2656 schtasks.exe 2352 schtasks.exe 428 schtasks.exe 448 schtasks.exe 1428 schtasks.exe 724 schtasks.exe 4516 schtasks.exe 1748 schtasks.exe 2752 schtasks.exe 4884 schtasks.exe 2032 schtasks.exe 4808 schtasks.exe 2072 schtasks.exe 1168 schtasks.exe 5028 schtasks.exe 2316 schtasks.exe 4868 schtasks.exe 1760 schtasks.exe 4700 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exefontdrvhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings fontdrvhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 4312 powershell.exe 4312 powershell.exe 4280 powershell.exe 4280 powershell.exe 4836 powershell.exe 4836 powershell.exe 704 powershell.exe 704 powershell.exe 4612 powershell.exe 4612 powershell.exe 1424 powershell.exe 1424 powershell.exe 4936 powershell.exe 4936 powershell.exe 1512 powershell.exe 1512 powershell.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 3444 powershell.exe 3444 powershell.exe 3232 powershell.exe 3232 powershell.exe 4684 powershell.exe 4684 powershell.exe 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe 4684 powershell.exe 4312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4836 powershell.exe Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 3444 powershell.exe Token: SeDebugPrivilege 4812 fontdrvhost.exe Token: SeDebugPrivilege 4228 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exefontdrvhost.exeWScript.exedescription pid process target process PID 1116 wrote to memory of 4312 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4312 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4612 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4612 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4684 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4684 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4280 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4280 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 3444 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 3444 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4836 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4836 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 1424 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 1424 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 1512 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 1512 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 3232 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 3232 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 704 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 704 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4936 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4936 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe powershell.exe PID 1116 wrote to memory of 4812 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe fontdrvhost.exe PID 1116 wrote to memory of 4812 1116 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe fontdrvhost.exe PID 4812 wrote to memory of 2752 4812 fontdrvhost.exe WScript.exe PID 4812 wrote to memory of 2752 4812 fontdrvhost.exe WScript.exe PID 4812 wrote to memory of 4820 4812 fontdrvhost.exe WScript.exe PID 4812 wrote to memory of 4820 4812 fontdrvhost.exe WScript.exe PID 2752 wrote to memory of 4228 2752 WScript.exe fontdrvhost.exe PID 2752 wrote to memory of 4228 2752 WScript.exe fontdrvhost.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
5758f08ee8daacd956d144b547105710_NeikiAnalytics.exefontdrvhost.exefontdrvhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fontdrvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Recovery\WindowsRE\fontdrvhost.exe"C:\Recovery\WindowsRE\fontdrvhost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4812 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcf1e752-5283-4246-9020-ba7176321f64.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Recovery\WindowsRE\fontdrvhost.exeC:\Recovery\WindowsRE\fontdrvhost.exe4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4228
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84b97705-407f-4ca2-880e-b8626fdd5eb5.vbs"3⤵PID:4820
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5758f08ee8daacd956d144b547105710_NeikiAnalytics5" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5758f08ee8daacd956d144b547105710_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "5758f08ee8daacd956d144b547105710_NeikiAnalytics5" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\5758f08ee8daacd956d144b547105710_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\TAPI\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55758f08ee8daacd956d144b547105710
SHA1eb9a247be053dc3ffc9986add72c3c95b9a1dcd1
SHA256fc7b46480fd584b41761e56b5a4ac9c99ba65f3f09f5b96fc7379aaf279c7c1c
SHA5122cd545ddc2e51cd5cedcf8040cacf66a0d60bfba4b92635ee7b2343e65808c939cfe961d61a50ebddbbdbc302ccec3db8b0b0a2ab5d4afcfbc2a61344f7d0c24
-
Filesize
1KB
MD549b64127208271d8f797256057d0b006
SHA1b99bd7e2b4e9ed24de47fb3341ea67660b84cca1
SHA2562a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77
SHA512f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
489B
MD567be684c69397ec70be5cc628671dcad
SHA124ce9bf4ece797763c42e10f3d985b3e5e8a5ea9
SHA256463480e92f7e1789a797a802b667668dda1a210e5f73d08b664e5a7ecfa134f9
SHA51246163ff761719e04cc8e3871f7a5235fc27716c41e328b6fe6f2d2dccf4e72097941292bec73095e17ca7b70775725d0116c830b320ca41082e4728b06928e67
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
713B
MD5391ba7214d1e65ef0a7282574b5c243a
SHA143600dadb96c1fb49ee71d56de54546d062cfa78
SHA256de51e9238b36419e3563358a25d188deadd574bcd8f13d179cd54f0af191aef8
SHA5129c4f07fccdbf41627968fa054e4f2d812e88516edaa0902da16b7f908596f1b3406e951c8d2a32acebff861b7ba807bc5fbc32d5d0d06a0f2843cefb1635acf4