Analysis
-
max time kernel
92s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 11:18
Behavioral task
behavioral1
Sample
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
cf7d433c32279d2756c1e3a67e86b100
-
SHA1
3fa407d870f47bc0566c98519d29229bfad39353
-
SHA256
dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
-
SHA512
365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 51 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2912 schtasks.exe 2060 schtasks.exe 4180 schtasks.exe 4040 schtasks.exe 4520 schtasks.exe 1296 schtasks.exe 2496 schtasks.exe 1392 schtasks.exe 3460 schtasks.exe 2056 schtasks.exe 2288 schtasks.exe 3936 schtasks.exe 2892 schtasks.exe 1692 schtasks.exe 4088 schtasks.exe 3084 schtasks.exe 1844 schtasks.exe 2284 schtasks.exe 4012 schtasks.exe 5020 schtasks.exe 4716 schtasks.exe 2368 schtasks.exe 2844 schtasks.exe 1380 schtasks.exe 396 schtasks.exe 4200 schtasks.exe 2336 schtasks.exe 3520 schtasks.exe 4516 schtasks.exe 1160 schtasks.exe 1824 schtasks.exe 3372 schtasks.exe 3432 schtasks.exe 3248 schtasks.exe 3984 schtasks.exe 2620 schtasks.exe 4916 schtasks.exe 604 schtasks.exe 4976 schtasks.exe 376 schtasks.exe 3064 schtasks.exe 3672 schtasks.exe 1676 schtasks.exe 4472 schtasks.exe 964 schtasks.exe 4620 schtasks.exe 4628 schtasks.exe 4856 schtasks.exe 4992 schtasks.exe 4748 schtasks.exe 3308 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 17 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\smss.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Windows\\it-IT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\", \"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\", \"C:\\Users\\Admin\\services.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4716 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1392 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4992 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3372 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4748 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3672 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1380 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 604 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3248 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1692 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4628 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4856 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4620 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4200 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1824 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 1852 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 1852 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/852-1-0x0000000000510000-0x000000000071C000-memory.dmp dcrat C:\Program Files\Windows Sidebar\Gadgets\sihost.exe dcrat C:\Windows\it-IT\RuntimeBroker.exe dcrat C:\Windows\Sun\Java\Deployment\dllhost.exe dcrat C:\Users\Admin\services.exe dcrat C:\Recovery\WindowsRE\SppExtComObj.exe dcrat C:\Users\Admin\Saved Games\backgroundTaskHost.exe dcrat behavioral2/memory/3448-309-0x00000000009A0000-0x0000000000BAC000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
backgroundTaskHost.exepid process 3448 backgroundTaskHost.exe -
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\shared\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\MSBuild\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\shared\\smss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\services.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\csrss.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Admin\\Saved Games\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Sun\\Java\\Deployment\\dllhost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\sihost.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\it-IT\\RuntimeBroker.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Sidebar\\spoolsv.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\\pris\\sysmon.exe\"" cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Drops file in Program Files directory 40 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process File created C:\Program Files\dotnet\shared\smss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5E38.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCX7461.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX6AF4.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\f3b6ecef712a24 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\886983d96e3d3e cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\dotnet\shared\69ddcba757bf72 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\eddb19405b7ce1 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX62CF.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\RCX6DD5.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\RCX7667.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5C32.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RCX5E37.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\smss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\sihost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\RCX62D0.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\RCX7462.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Sidebar\spoolsv.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX5A0D.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\RCX5A0E.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\886983d96e3d3e cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX6A86.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\dotnet\shared\RCX7668.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\csrss.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\sihost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Program Files\Windows Sidebar\Gadgets\66fc9ff0ee96c2 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files\Windows Multimedia Platform\RCX5C33.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\RCX6D66.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Drops file in Windows directory 15 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\121e5b5079f7c0 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RCX604C.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RCX60CA.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RuntimeBroker.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX6552.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\it-IT\RuntimeBroker.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\it-IT\9e8d7a4ca61bd9 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\RCX65C0.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX724D.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\RCX724C.tmp cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\5940a34987c991 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File created C:\Windows\Sun\Java\Deployment\dllhost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe File opened for modification C:\Windows\Sun\Java\Deployment\dllhost.exe cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4916 schtasks.exe 2620 schtasks.exe 4180 schtasks.exe 4088 schtasks.exe 2288 schtasks.exe 376 schtasks.exe 396 schtasks.exe 604 schtasks.exe 1844 schtasks.exe 964 schtasks.exe 3084 schtasks.exe 2060 schtasks.exe 3432 schtasks.exe 4992 schtasks.exe 4748 schtasks.exe 2336 schtasks.exe 2056 schtasks.exe 2284 schtasks.exe 3460 schtasks.exe 1296 schtasks.exe 3672 schtasks.exe 1676 schtasks.exe 4012 schtasks.exe 4516 schtasks.exe 1824 schtasks.exe 3308 schtasks.exe 3984 schtasks.exe 3064 schtasks.exe 1380 schtasks.exe 2368 schtasks.exe 2912 schtasks.exe 3372 schtasks.exe 4472 schtasks.exe 3936 schtasks.exe 4040 schtasks.exe 1160 schtasks.exe 1392 schtasks.exe 2844 schtasks.exe 4716 schtasks.exe 3248 schtasks.exe 5020 schtasks.exe 4520 schtasks.exe 4856 schtasks.exe 2892 schtasks.exe 4628 schtasks.exe 2496 schtasks.exe 1692 schtasks.exe 4200 schtasks.exe 4620 schtasks.exe 3520 schtasks.exe 4976 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exebackgroundTaskHost.exepid process 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe 3448 backgroundTaskHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exebackgroundTaskHost.exedescription pid process Token: SeDebugPrivilege 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe Token: SeDebugPrivilege 3448 backgroundTaskHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exedescription pid process target process PID 852 wrote to memory of 3448 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe backgroundTaskHost.exe PID 852 wrote to memory of 3448 852 cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe backgroundTaskHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf7d433c32279d2756c1e3a67e86b100_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\Saved Games\backgroundTaskHost.exe"C:\Users\Admin\Saved Games\backgroundTaskHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\pris\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5cf7d433c32279d2756c1e3a67e86b100
SHA13fa407d870f47bc0566c98519d29229bfad39353
SHA256dbadac74214c5322f8d6f4766163e43212c9d1085dfa9a2139f59ff01c87867b
SHA512365336fcb9b9f04f284071caeaadc5deb90be118ec837a957a9d9dcae7570d95430379c24bb8d2edf2ce783b2722bf3129da81c292a3b33692e3f28749e204b3
-
Filesize
2.0MB
MD5617c6c0c26261e0f481454fa5ad45055
SHA14662d3d4ac6a87dc07527f973b0ba6e7af4dc847
SHA256bd543d5dc2270a593fe9479436a216048fdeba927b225ec2c935894b813988f9
SHA5125974e272c74d90b59d5877b80304af67e517bc6c7cb8d463efe51f4fefe5404412edf7f5758541ab70177e9457820ca9b949aac95748d355f8e7c3d042c85542
-
Filesize
2.0MB
MD5f3bec4a9dc206c16eeb03e7cf951475c
SHA1095c9704f7f0650bc34f698e5eab741595074c3f
SHA256a184cdaf370f6c69babc476fce067680ccf32bea28193ed91a3331f253055ec2
SHA512f35d17dcf7c9b62cbfe8ad53514a0b5ae71d635b03a8e2e056451a1eefe05d927831c5c7d91c7af3be5f67afe76978f9cd3da6e7c13342535739b170e7ad7591
-
Filesize
2.0MB
MD5cf4101628cb97a27707cb5ddd17946ca
SHA15892485bf3b94c4fc7b88fa5b81499aeba16e22f
SHA256e4f55929c6741875d885d0076e8afa79a696ee3bd610ddece41dc0fb41fc9927
SHA5121d910ed0573a3da54e94ddb6d9ad8e109df87f5689b5b88f958f12d5762cc68bc959af8fa171fe7a1965ec4533382afeebf05c41fbd5f563a04c75a86c401767
-
Filesize
2.0MB
MD52cb077192e8a252ce7c9025eeaa7eb92
SHA1e25a9024eb3d9f91cd8a83253d0b0b4e32647aec
SHA25688fe2395155283d157e1f5a4906e43202aeb891317ad7810586f23cd95b7668e
SHA5129e25a36db1084607c40c8e5ce842d64d569e2e74d3f174202c5816bd2402bd3e743af265c1dce9a6a6de89639faa9bf858754ff2b752928e0d35f868d6e204f3
-
Filesize
2.0MB
MD5c896688b4cb498f016485397dcbb03c6
SHA11a9646d6eb3621ee4396e1fee67a13c67eb22af5
SHA2561f0a0320e7639846c9a5fdaceabcf83c31112bccdacc76a9fec3049383e21e54
SHA51298d65d164d7308717f0e6c44402f28bfea77dd6a6846b8d81c8819d2a76a8f6cdf124915160983979b89befac964568448e08f8f1d16731f7e088be4dfb0a40a