Analysis
-
max time kernel
140s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:46
Behavioral task
behavioral1
Sample
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
842d88a85052060e936fdc2ea92b43a0
-
SHA1
4c2a334ee317b586bd284f5e4f514801cc65f3c5
-
SHA256
6ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
-
SHA512
b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb
-
SSDEEP
49152:iH64y2XDuLlIY14o9/yDzr1xJ8XbRrC9mWvR08Yv7yP3GcY:iHfE5Ad8Xd295UmGc
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Windows\\debug\\sysmon.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 388 1756 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 1756 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 1756 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 1756 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 1756 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 1756 schtasks.exe -
Processes:
sysmon.exe842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe -
Processes:
resource yara_rule behavioral2/memory/3236-1-0x0000000000EA0000-0x0000000001160000-memory.dmp dcrat C:\Recovery\WindowsRE\msedge.exe dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
sysmon.exepid process 2196 sysmon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\debug\\sysmon.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\debug\\sysmon.exe\"" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Processes:
sysmon.exe842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process File created C:\Windows\debug\sysmon.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File created C:\Windows\debug\121e5b5079f7c0 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\RCXB96.tmp 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe File opened for modification C:\Windows\debug\sysmon.exe 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 388 schtasks.exe 3568 schtasks.exe 1608 schtasks.exe 3252 schtasks.exe 3648 schtasks.exe 3360 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exepowershell.exesysmon.exepid process 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe 1884 powershell.exe 1884 powershell.exe 1884 powershell.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe 2196 sysmon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exepowershell.exesysmon.exedescription pid process Token: SeDebugPrivilege 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 2196 sysmon.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription pid process target process PID 3236 wrote to memory of 1884 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe powershell.exe PID 3236 wrote to memory of 1884 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe powershell.exe PID 3236 wrote to memory of 2196 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe sysmon.exe PID 3236 wrote to memory of 2196 3236 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe sysmon.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
sysmon.exe842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" sysmon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\842d88a85052060e936fdc2ea92b43a0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\debug\sysmon.exe"C:\Windows\debug\sysmon.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:81⤵PID:1512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5842d88a85052060e936fdc2ea92b43a0
SHA14c2a334ee317b586bd284f5e4f514801cc65f3c5
SHA2566ced96c3c9f628cd9caa61fdc4d146a792a612539c923de90a93414099f4eddb
SHA512b6abab1932024a1c477716dc84c7b60714ec6e712cc5ce104c078972a20e89554b20c588233c5be33fef8a02ee10d653d34c9a3d0c490a596d6a068d1fa6c1eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82