Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 02:46

General

  • Target

    842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe

  • Size

    2.7MB

  • MD5

    842d88a85052060e936fdc2ea92b43a0

  • SHA1

    4c2a334ee317b586bd284f5e4f514801cc65f3c5

  • SHA256

    6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb

  • SHA512

    b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb

  • SSDEEP

    49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J4ecGZdzFA.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:572
        • C:\Program Files (x86)\Uninstall Information\taskhost.exe
          "C:\Program Files (x86)\Uninstall Information\taskhost.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:2068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1380
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2708
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1360
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2744
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2160
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics8" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:872
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1440
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\audiodg.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2980
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2752
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2188
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1916
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsass.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Uninstall Information\taskhost.exe

      Filesize

      2.7MB

      MD5

      ae624a87c9ff606c9145aae0a44aac94

      SHA1

      31d161fa9a297d4ec1d7d5004a59686fd7f84c04

      SHA256

      839c430e1c22f5a5d6e83257b0581fe05733e4bea09d8903b1defe872a0fe655

      SHA512

      1d9cc60afc4d3d876524216ffc9833298ddf05d45731e1b34321aac4e0ea5f61076ed0e255c5590fc6e8e4c43e4139e81dbefce64edff2920b75eb9375021105

    • C:\Users\Admin\AppData\Local\Temp\J4ecGZdzFA.bat

      Filesize

      222B

      MD5

      13eb83412fde6b99e9ededb2127960c9

      SHA1

      03b4e85488cfdb3094278337d9f9cef049e6c6b6

      SHA256

      addc3326f05360cf9e79117b8492a7980298d83cacc977841a23e5c8844e230d

      SHA512

      1db95f03fa144b383c7c8dfcea7f082eb2414ed751bee02033fac96c9d23a1713fb5d5214bb1574b318f8c4ef1bfe71a8949fc2bfbc04e48b656319252722fee

    • C:\Users\Default\RCX3126.tmp

      Filesize

      2.7MB

      MD5

      73c24f844a0956368802a3452aaac5f8

      SHA1

      6f0f376169076d420d2c7880eb595718c2ce6d5b

      SHA256

      3efe7d2109957de103b0259ec8f4a3fcdb1f33cbf5bb53e6842fd51e2d63d276

      SHA512

      219ca88b9a6d0bf9f14b7023ee27b22f236cccfed23dab62c53d2f77ed5fb1ccfa0daafaf6e021df2af2eed2e766198777577409834d19ab1f4a33ecc05a21a9

    • C:\Windows\Vss\Writers\Application\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe

      Filesize

      2.7MB

      MD5

      842d88a85052060e936fdc2ea92b43a0

      SHA1

      4c2a334ee317b586bd284f5e4f514801cc65f3c5

      SHA256

      6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb

      SHA512

      b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb

    • memory/1280-117-0x000000001B580000-0x000000001B862000-memory.dmp

      Filesize

      2.9MB

    • memory/1280-118-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

    • memory/2068-122-0x0000000000C30000-0x0000000000EF0000-memory.dmp

      Filesize

      2.8MB

    • memory/2156-15-0x0000000002280000-0x000000000228C000-memory.dmp

      Filesize

      48KB

    • memory/2156-20-0x000000001A9C0000-0x000000001A9C8000-memory.dmp

      Filesize

      32KB

    • memory/2156-9-0x0000000000790000-0x0000000000798000-memory.dmp

      Filesize

      32KB

    • memory/2156-10-0x00000000007B0000-0x00000000007C0000-memory.dmp

      Filesize

      64KB

    • memory/2156-11-0x00000000007A0000-0x00000000007AA000-memory.dmp

      Filesize

      40KB

    • memory/2156-12-0x000000001ADD0000-0x000000001AE26000-memory.dmp

      Filesize

      344KB

    • memory/2156-13-0x00000000007C0000-0x00000000007C8000-memory.dmp

      Filesize

      32KB

    • memory/2156-17-0x0000000002490000-0x000000000249C000-memory.dmp

      Filesize

      48KB

    • memory/2156-16-0x00000000022A0000-0x00000000022A8000-memory.dmp

      Filesize

      32KB

    • memory/2156-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

      Filesize

      4KB

    • memory/2156-14-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

    • memory/2156-18-0x00000000024A0000-0x00000000024AC000-memory.dmp

      Filesize

      48KB

    • memory/2156-19-0x00000000024B0000-0x00000000024B8000-memory.dmp

      Filesize

      32KB

    • memory/2156-8-0x00000000006E0000-0x00000000006E8000-memory.dmp

      Filesize

      32KB

    • memory/2156-21-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

      Filesize

      48KB

    • memory/2156-22-0x000000001A9E0000-0x000000001A9EC000-memory.dmp

      Filesize

      48KB

    • memory/2156-23-0x000000001A9F0000-0x000000001A9F8000-memory.dmp

      Filesize

      32KB

    • memory/2156-25-0x000000001AF30000-0x000000001AF3C000-memory.dmp

      Filesize

      48KB

    • memory/2156-24-0x000000001AE20000-0x000000001AE2A000-memory.dmp

      Filesize

      40KB

    • memory/2156-26-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

    • memory/2156-7-0x0000000000770000-0x0000000000786000-memory.dmp

      Filesize

      88KB

    • memory/2156-6-0x00000000006D0000-0x00000000006E0000-memory.dmp

      Filesize

      64KB

    • memory/2156-5-0x00000000006B0000-0x00000000006B8000-memory.dmp

      Filesize

      32KB

    • memory/2156-4-0x0000000000690000-0x00000000006AC000-memory.dmp

      Filesize

      112KB

    • memory/2156-116-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

    • memory/2156-3-0x0000000000680000-0x0000000000688000-memory.dmp

      Filesize

      32KB

    • memory/2156-2-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

      Filesize

      9.9MB

    • memory/2156-1-0x0000000000100000-0x00000000003C0000-memory.dmp

      Filesize

      2.8MB