Analysis
-
max time kernel
138s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 12:33
Behavioral task
behavioral1
Sample
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
d22711d7b799dc3db2c419f2fd5f9430
-
SHA1
4ffaadc81a24afaad091adb758bc41361b9c6197
-
SHA256
ac642f44dade714a85fb5d214db6250cab8e0934058dda42e9c369dabba97c71
-
SHA512
331f3b6fc9155592062c06be8fabf595ea24dbc2af5af490e91b59dd6799b6c19badfa579867801c47502b9aea2cb0526e3b75fa4d063e64366e06c2e62ed1ee
-
SSDEEP
49152:yH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:yHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\RuntimeBroker.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\csrss.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 5044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 5044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 5044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 5044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3328 5044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 5044 schtasks.exe -
Processes:
csrss.exed22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/4980-1-0x00000000001C0000-0x0000000000480000-memory.dmp dcrat C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 4432 csrss.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\csrss.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\RuntimeBroker.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\RuntimeBroker.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\csrss.exe\"" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.execsrss.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops file in Program Files directory 4 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX8109.tmp d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\886983d96e3d3e d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File created C:\Windows\Speech_OneCore\Engines\TTS\en-US\9e8d7a4ca61bd9 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe File opened for modification C:\Windows\Speech_OneCore\Engines\TTS\en-US\RCX7EF5.tmp d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5052 schtasks.exe 1932 schtasks.exe 3328 schtasks.exe 4152 schtasks.exe 392 schtasks.exe 3972 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exepowershell.execsrss.exepid process 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe 212 powershell.exe 212 powershell.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe 4432 csrss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exepowershell.execsrss.exedescription pid process Token: SeDebugPrivilege 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Token: SeDebugPrivilege 212 powershell.exe Token: SeDebugPrivilege 4432 csrss.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.execmd.exedescription pid process target process PID 4980 wrote to memory of 212 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe powershell.exe PID 4980 wrote to memory of 212 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe powershell.exe PID 4980 wrote to memory of 3304 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe cmd.exe PID 4980 wrote to memory of 3304 4980 d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe cmd.exe PID 3304 wrote to memory of 1696 3304 cmd.exe w32tm.exe PID 3304 wrote to memory of 1696 3304 cmd.exe w32tm.exe PID 3304 wrote to memory of 4432 3304 cmd.exe csrss.exe PID 3304 wrote to memory of 4432 3304 cmd.exe csrss.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.execsrss.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d22711d7b799dc3db2c419f2fd5f9430_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A37ewxymSE.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1696
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238B
MD5e71631470d8f5bd6de86309ae4842e33
SHA193aba1c69532f5195eb1b55dd1248c5452978467
SHA2568eee39d0a206874d5652d0c81e489c4e6e354dad852fd6d4096191effa3638ce
SHA51214f8eda2fad66e2d6a6db3fa017dd0f2cca14b975523f5761b52c208e35e4522118bdf589484c86692f82503f8b6bb63ecfb8244a8602d7c48c8b681aab09e41
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD5d22711d7b799dc3db2c419f2fd5f9430
SHA14ffaadc81a24afaad091adb758bc41361b9c6197
SHA256ac642f44dade714a85fb5d214db6250cab8e0934058dda42e9c369dabba97c71
SHA512331f3b6fc9155592062c06be8fabf595ea24dbc2af5af490e91b59dd6799b6c19badfa579867801c47502b9aea2cb0526e3b75fa4d063e64366e06c2e62ed1ee