Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-05-2024 04:11

General

  • Target

    950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    950cc10960e45f6ca5de7fc895d0ca20

  • SHA1

    86142fec987343c924e41ce017ea54f273e957e3

  • SHA256

    0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327

  • SHA512

    365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

  • SSDEEP

    24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Malware Config

Signatures

  • DcRat 21 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 7 IoCs
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files\MSBuild\sppsvc.exe
      "C:\Program Files\MSBuild\sppsvc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\taskhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2112
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2408
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe

    Filesize

    2.0MB

    MD5

    022c41189d20c106d944f8443b0c3af0

    SHA1

    398c7125b5fe3c4fe797f60b110e09b80f7f400e

    SHA256

    2041e5eb4dea7d80ac46456c14409b8928705527b34a631db0da47e94ad80b96

    SHA512

    4678aca97fa9b9cf59ad64ae55ad6d6a1c967a0f9179ac07f1a73e1292cd47ed6a4078619a0217419087826cf6cc476c9d48f459054b2ac3b67ada2b139d62df

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

    Filesize

    2.0MB

    MD5

    950cc10960e45f6ca5de7fc895d0ca20

    SHA1

    86142fec987343c924e41ce017ea54f273e957e3

    SHA256

    0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327

    SHA512

    365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

  • memory/1640-113-0x0000000000B00000-0x0000000000D0C000-memory.dmp

    Filesize

    2.0MB

  • memory/1700-8-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

    Filesize

    48KB

  • memory/1700-10-0x0000000000B00000-0x0000000000B0C000-memory.dmp

    Filesize

    48KB

  • memory/1700-4-0x0000000000350000-0x0000000000358000-memory.dmp

    Filesize

    32KB

  • memory/1700-6-0x0000000000700000-0x0000000000716000-memory.dmp

    Filesize

    88KB

  • memory/1700-7-0x0000000000A90000-0x0000000000AE6000-memory.dmp

    Filesize

    344KB

  • memory/1700-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

    Filesize

    4KB

  • memory/1700-9-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

    Filesize

    48KB

  • memory/1700-5-0x0000000000570000-0x0000000000580000-memory.dmp

    Filesize

    64KB

  • memory/1700-11-0x0000000000B10000-0x0000000000B1E000-memory.dmp

    Filesize

    56KB

  • memory/1700-12-0x0000000000B20000-0x0000000000B2E000-memory.dmp

    Filesize

    56KB

  • memory/1700-13-0x0000000000B30000-0x0000000000B3A000-memory.dmp

    Filesize

    40KB

  • memory/1700-3-0x0000000000330000-0x000000000034C000-memory.dmp

    Filesize

    112KB

  • memory/1700-2-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

    Filesize

    9.9MB

  • memory/1700-112-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

    Filesize

    9.9MB

  • memory/1700-1-0x00000000013E0000-0x00000000015EC000-memory.dmp

    Filesize

    2.0MB