Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 11:18
Behavioral task
behavioral1
Sample
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
cf7d433c32279d2756c1e3a67e86b100
-
SHA1
3fa407d870f47bc0566c98519d29229bfad39353
-
SHA256
dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
-
SHA512
365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 33 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 240 schtasks.exe 3044 schtasks.exe 1660 schtasks.exe 2820 schtasks.exe 1520 schtasks.exe 1932 schtasks.exe 1236 schtasks.exe 2352 schtasks.exe 1856 schtasks.exe 2624 schtasks.exe 2680 schtasks.exe 1040 schtasks.exe 2092 schtasks.exe 2032 schtasks.exe 2452 schtasks.exe 796 schtasks.exe 2472 schtasks.exe 2404 schtasks.exe 2420 schtasks.exe 1532 schtasks.exe 2732 schtasks.exe 2492 schtasks.exe 2612 schtasks.exe 2712 schtasks.exe 1584 schtasks.exe 2360 schtasks.exe 2656 schtasks.exe 2700 schtasks.exe 2284 schtasks.exe 312 schtasks.exe 1336 schtasks.exe 1188 schtasks.exe 2012 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 11 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Windows\\IME\\en-US\\spoolsv.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files\\VideoLAN\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 240 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1660 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 2776 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2776 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1724-1-0x0000000000C90000-0x0000000000E9C000-memory.dmp dcrat C:\Program Files\Internet Explorer\it-IT\services.exe dcrat C:\Program Files (x86)\Common Files\spoolsv.exe dcrat C:\Program Files\Internet Explorer\it-IT\services.exe dcrat behavioral1/memory/1936-177-0x0000000000DD0000-0x0000000000FDC000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
spoolsv.exepid process 1936 spoolsv.exe -
Adds Run key to start application 2 TTPs 22 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\VideoLAN\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\it-IT\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Desktop\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\VideoLAN\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.en\\Idle.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\IME\\en-US\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\audiodg.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\dwm.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Drops file in Program Files directory 25 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX26CB.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCX3654.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\it-IT\services.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\dwm.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX2244.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\RCX344E.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\dwm.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\RCX293D.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\VideoLAN\RCX344F.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\VideoLAN\6cb0b6c459d5d3 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\04c0b05ac7e333 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\RCX28CF.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\42af1c969fbb7b cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\RCX22B2.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\RCX3653.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\f3b6ecef712a24 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX26BB.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\services.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Internet Explorer\it-IT\c5b4cb5e9653cc cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process File created C:\Windows\IME\en-US\f3b6ecef712a24 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\IME\en-US\RCX24B6.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\IME\en-US\RCX24B7.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\IME\en-US\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\IME\en-US\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 312 schtasks.exe 2360 schtasks.exe 2472 schtasks.exe 1660 schtasks.exe 2700 schtasks.exe 1336 schtasks.exe 3044 schtasks.exe 2624 schtasks.exe 2820 schtasks.exe 2012 schtasks.exe 2656 schtasks.exe 2352 schtasks.exe 1584 schtasks.exe 1932 schtasks.exe 1188 schtasks.exe 2732 schtasks.exe 1236 schtasks.exe 2404 schtasks.exe 2420 schtasks.exe 1532 schtasks.exe 2284 schtasks.exe 796 schtasks.exe 1856 schtasks.exe 2712 schtasks.exe 1520 schtasks.exe 1040 schtasks.exe 2092 schtasks.exe 2492 schtasks.exe 240 schtasks.exe 2680 schtasks.exe 2032 schtasks.exe 2612 schtasks.exe 2452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exespoolsv.exepid process 1724 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 1936 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exespoolsv.exedescription pid process Token: SeDebugPrivilege 1724 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Token: SeDebugPrivilege 1936 spoolsv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription pid process target process PID 1724 wrote to memory of 1936 1724 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe spoolsv.exe PID 1724 wrote to memory of 1936 1724 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe spoolsv.exe PID 1724 wrote to memory of 1936 1724 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\IME\en-US\spoolsv.exe"C:\Windows\IME\en-US\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\en-US\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\it-IT\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cf7d433c32279d2756c1e3a67e86b100_NeikiAnalyticsc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5dee05215e09bc9b82c96109eb7b8b5be
SHA1b3795a9715f4aadad598acdde007abdc111a7c5c
SHA25627f902cfdac4de4d304c57f82af95ffffe5b3651ee880b933a7aba7bd1ba8d23
SHA5129c3b876c1de08cd721b7085eb704524fa2e4901054b1a231ec3d16c68973752ad205e517bcec99a9659db2f9ded9ded5fe4b6f5bb6c5448d2dd572c1e7cfc7d0
-
Filesize
2.0MB
MD5cf7d433c32279d2756c1e3a67e86b100
SHA13fa407d870f47bc0566c98519d29229bfad39353
SHA256dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
SHA512365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3
-
Filesize
2.0MB
MD5163e97e19de5b4477e0bdbcd690839b3
SHA1e487b532cb712fb86797c1304f5cfce81dc2b099
SHA256029798dbaa509dbfbdd9f2b910f850896968f50bec2e7ffe8f52f34a630c52a5
SHA51228edb87833ba1dc732006811e77d0bfa319436a9fd12dba103b739c402d44a9cbfcaae6665f740902f4bc8d496547c330547e64f1d2307c36186a2fdcdf98261