Analysis

  • max time kernel
    134s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 04:11

General

  • Target

    950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    950cc10960e45f6ca5de7fc895d0ca20

  • SHA1

    86142fec987343c924e41ce017ea54f273e957e3

  • SHA256

    0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327

  • SHA512

    365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

  • SSDEEP

    24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4gxnF4du6m.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2788
        • C:\Windows\Performance\dwm.exe
          "C:\Windows\Performance\dwm.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:432
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\dwm.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3340
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4328
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4020
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2960
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4152
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1044
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4224
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3396
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3332
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4208
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2264
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1312
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4996
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Temp\lsass.exe

      Filesize

      2.0MB

      MD5

      6577bf4c9c46397f03b59cd0bd2de31f

      SHA1

      a1975ff040dfe6299e73e51b257fbd48dfc93a5f

      SHA256

      b2b73f9991c8f13ec96cbd7524e50fc4ae3003fc62810ebc9c0b3f9c17008d35

      SHA512

      6a385fabbc3d30434354162c5c8fad1e9632da1cc4a343e2bf560a3137a4333eb7a550705ad174a1f090473afcaeab3f60f2631ead31e93ae7bc6eabfe5410f3

    • C:\Program Files\WindowsPowerShell\wininit.exe

      Filesize

      2.0MB

      MD5

      950cc10960e45f6ca5de7fc895d0ca20

      SHA1

      86142fec987343c924e41ce017ea54f273e957e3

      SHA256

      0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327

      SHA512

      365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

    • C:\Recovery\WindowsRE\dllhost.exe

      Filesize

      2.0MB

      MD5

      dd3b5d977fbb06900d8b19d063c4a549

      SHA1

      309a9138524f1e290f55efdf3f17452eb56ca498

      SHA256

      97b2f0c7d1592aa78a8f274109967988bfc2877e298b3c46ffd7eb2a91ec3f4a

      SHA512

      963f1350f9be3afd7ccd56407f282151d614a313f022183fd41230f7a96fe2d44c4cec3be67ce1a5d2bcbe2555687a6fd8fce99a657e7b7141ac3ba4beab191d

    • C:\Recovery\WindowsRE\explorer.exe

      Filesize

      2.0MB

      MD5

      c62afb7242088a843a949f8c53126e84

      SHA1

      3b1cfaceaa633ac8df515d86daf0e54b891e5060

      SHA256

      2089c77b167efa027cbb49161369e738bb9b2cc30463f09603d498ed81609362

      SHA512

      8a527efccb82bc16d71f0224c7832dc69f5e0712a38c1ceac6a372b3b547bef6ca6706fe6e46887f5b3fec06d48f416f16a664c93fe66dffd7ff67b7379ee88e

    • C:\Users\Admin\AppData\Local\Temp\4gxnF4du6m.bat

      Filesize

      195B

      MD5

      6730752e1024e0be184e01e3d8199c31

      SHA1

      34947f744ce132d6674cbb1d4d69ac9eaeda006d

      SHA256

      042230818288fcbef4ff463a593fe577503a399fad9a232fca0758ca78e58b7f

      SHA512

      63128df25604286339e90aa6b2d9967d7342170dad6e484e1d6e1234bcdb32943a3d94da01d5d439f92fc28fe961e748fef627cc939a9c3b377a10116f87c203

    • C:\Users\Default\winlogon.exe

      Filesize

      2.0MB

      MD5

      73ec0b09bb36ce58d98041706ecd29e6

      SHA1

      a3c7670a3c3003dae76eae178158511398d3a066

      SHA256

      927a4edea8d4e957e0bf576f673faca273d4871253d65e92d1b796d7c497e017

      SHA512

      2bf6ac0b7ecdc6c0e9201cc2314d79b6fc46c2214911af9f7823b64c52ad850bfdff2b1c65aae812371b86e65ca221b1bc02d525e2e81e97b02d3220db229829

    • memory/432-167-0x0000000001F40000-0x0000000001F96000-memory.dmp

      Filesize

      344KB

    • memory/2108-5-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

      Filesize

      32KB

    • memory/2108-14-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

      Filesize

      40KB

    • memory/2108-9-0x0000000002D10000-0x0000000002D1C000-memory.dmp

      Filesize

      48KB

    • memory/2108-10-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

      Filesize

      48KB

    • memory/2108-12-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

      Filesize

      56KB

    • memory/2108-11-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

      Filesize

      48KB

    • memory/2108-13-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

      Filesize

      56KB

    • memory/2108-7-0x0000000002CF0000-0x0000000002D06000-memory.dmp

      Filesize

      88KB

    • memory/2108-8-0x000000001B700000-0x000000001B756000-memory.dmp

      Filesize

      344KB

    • memory/2108-4-0x000000001B760000-0x000000001B7B0000-memory.dmp

      Filesize

      320KB

    • memory/2108-0-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

      Filesize

      8KB

    • memory/2108-6-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

      Filesize

      64KB

    • memory/2108-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

      Filesize

      112KB

    • memory/2108-162-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

      Filesize

      10.8MB

    • memory/2108-2-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

      Filesize

      10.8MB

    • memory/2108-1-0x0000000000990000-0x0000000000B9C000-memory.dmp

      Filesize

      2.0MB