Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 11:18

General

  • Target

    cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    cf7d433c32279d2756c1e3a67e86b100

  • SHA1

    3fa407d870f47bc0566c98519d29229bfad39353

  • SHA256

    dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b

  • SHA512

    365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3

  • SSDEEP

    24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Malware Config

Signatures

  • DcRat 33 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 11 IoCs
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 22 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\IME\en-US\spoolsv.exe
      "C:\Windows\IME\en-US\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2360
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2492
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2404
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1532
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1188
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2452
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\spoolsv.exe

    Filesize

    2.0MB

    MD5

    dee05215e09bc9b82c96109eb7b8b5be

    SHA1

    b3795a9715f4aadad598acdde007abdc111a7c5c

    SHA256

    27f902cfdac4de4d304c57f82af95ffffe5b3651ee880b933a7aba7bd1ba8d23

    SHA512

    9c3b876c1de08cd721b7085eb704524fa2e4901054b1a231ec3d16c68973752ad205e517bcec99a9659db2f9ded9ded5fe4b6f5bb6c5448d2dd572c1e7cfc7d0

  • C:\Program Files\Internet Explorer\it-IT\services.exe

    Filesize

    2.0MB

    MD5

    cf7d433c32279d2756c1e3a67e86b100

    SHA1

    3fa407d870f47bc0566c98519d29229bfad39353

    SHA256

    dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b

    SHA512

    365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3

  • C:\Program Files\Internet Explorer\it-IT\services.exe

    Filesize

    2.0MB

    MD5

    163e97e19de5b4477e0bdbcd690839b3

    SHA1

    e487b532cb712fb86797c1304f5cfce81dc2b099

    SHA256

    029798dbaa509dbfbdd9f2b910f850896968f50bec2e7ffe8f52f34a630c52a5

    SHA512

    28edb87833ba1dc732006811e77d0bfa319436a9fd12dba103b739c402d44a9cbfcaae6665f740902f4bc8d496547c330547e64f1d2307c36186a2fdcdf98261

  • memory/1724-8-0x0000000000410000-0x000000000041C000-memory.dmp

    Filesize

    48KB

  • memory/1724-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

    Filesize

    48KB

  • memory/1724-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1724-6-0x0000000000530000-0x0000000000546000-memory.dmp

    Filesize

    88KB

  • memory/1724-7-0x000000001ADD0000-0x000000001AE26000-memory.dmp

    Filesize

    344KB

  • memory/1724-0-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

    Filesize

    4KB

  • memory/1724-9-0x0000000000550000-0x000000000055C000-memory.dmp

    Filesize

    48KB

  • memory/1724-4-0x0000000000260000-0x0000000000268000-memory.dmp

    Filesize

    32KB

  • memory/1724-11-0x00000000005F0000-0x00000000005FE000-memory.dmp

    Filesize

    56KB

  • memory/1724-12-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

    Filesize

    56KB

  • memory/1724-13-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

    Filesize

    40KB

  • memory/1724-3-0x0000000000240000-0x000000000025C000-memory.dmp

    Filesize

    112KB

  • memory/1724-2-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

    Filesize

    9.9MB

  • memory/1724-1-0x0000000000C90000-0x0000000000E9C000-memory.dmp

    Filesize

    2.0MB

  • memory/1724-178-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

    Filesize

    9.9MB

  • memory/1936-177-0x0000000000DD0000-0x0000000000FDC000-memory.dmp

    Filesize

    2.0MB