Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 04:11
Behavioral task
behavioral1
Sample
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
950cc10960e45f6ca5de7fc895d0ca20
-
SHA1
86142fec987343c924e41ce017ea54f273e957e3
-
SHA256
0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
-
SHA512
365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842
-
SSDEEP
24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 32 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3604 schtasks.exe 3340 schtasks.exe 2264 schtasks.exe 4024 schtasks.exe 2960 schtasks.exe 2788 schtasks.exe File created C:\Windows\Performance\dwm.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 4208 schtasks.exe 1312 schtasks.exe 4768 schtasks.exe 312 schtasks.exe 4224 schtasks.exe 4548 schtasks.exe 3964 schtasks.exe 3936 schtasks.exe 5028 schtasks.exe 4672 schtasks.exe 4328 schtasks.exe 3332 schtasks.exe 4996 schtasks.exe File created C:\Windows\Performance\6cb0b6c459d5d3 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 4352 schtasks.exe 3284 schtasks.exe 1044 schtasks.exe 4020 schtasks.exe 2200 schtasks.exe 4356 schtasks.exe 3464 schtasks.exe 4152 schtasks.exe 1792 schtasks.exe 1100 schtasks.exe 3396 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 10 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4768 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3604 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4152 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4224 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3396 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4672 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4208 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3284 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4996 2396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 2396 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/2108-1-0x0000000000990000-0x0000000000B9C000-memory.dmp dcrat C:\Program Files\WindowsPowerShell\wininit.exe dcrat C:\Program Files (x86)\Microsoft\Temp\lsass.exe dcrat C:\Recovery\WindowsRE\explorer.exe dcrat C:\Recovery\WindowsRE\dllhost.exe dcrat C:\Users\Default\winlogon.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
dwm.exepid process 432 dwm.exe -
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Drops file in Program Files directory 20 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Temp\6203df4a6bafc7 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX40A9.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\wininit.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\wininit.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX3E36.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft\Temp\lsass.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX40AA.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX46C9.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Program Files\WindowsPowerShell\56085415360792 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX3EA4.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\lsass.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\RCX44C4.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files\WindowsPowerShell\RCX44C5.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX46CA.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Drops file in Windows directory 13 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process File created C:\Windows\Performance\6cb0b6c459d5d3 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\rescache\Registry.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\dllhost.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\Performance\dwm.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\WinSxS\backgroundTaskHost.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\RCX3C20.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\RCX3C21.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\dllhost.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\Downloaded Program Files\5940a34987c991 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File created C:\Windows\OCR\fontdrvhost.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\RCX42BF.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Performance\dwm.exe 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe File opened for modification C:\Windows\Downloaded Program Files\RCX42BE.tmp 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4020 schtasks.exe 4356 schtasks.exe 3284 schtasks.exe 3604 schtasks.exe 5028 schtasks.exe 4024 schtasks.exe 4548 schtasks.exe 4768 schtasks.exe 312 schtasks.exe 4672 schtasks.exe 1312 schtasks.exe 3964 schtasks.exe 3340 schtasks.exe 2200 schtasks.exe 4328 schtasks.exe 3464 schtasks.exe 4224 schtasks.exe 3332 schtasks.exe 4208 schtasks.exe 4996 schtasks.exe 2960 schtasks.exe 1100 schtasks.exe 1044 schtasks.exe 1792 schtasks.exe 2788 schtasks.exe 3396 schtasks.exe 2264 schtasks.exe 3936 schtasks.exe 4352 schtasks.exe 4152 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedwm.exepid process 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe 432 dwm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exedwm.exedescription pid process Token: SeDebugPrivilege 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe Token: SeDebugPrivilege 432 dwm.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.execmd.exedescription pid process target process PID 2108 wrote to memory of 4040 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe cmd.exe PID 2108 wrote to memory of 4040 2108 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe cmd.exe PID 4040 wrote to memory of 2788 4040 cmd.exe w32tm.exe PID 4040 wrote to memory of 2788 4040 cmd.exe w32tm.exe PID 4040 wrote to memory of 432 4040 cmd.exe dwm.exe PID 4040 wrote to memory of 432 4040 cmd.exe dwm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4gxnF4du6m.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2788
-
C:\Windows\Performance\dwm.exe"C:\Windows\Performance\dwm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56577bf4c9c46397f03b59cd0bd2de31f
SHA1a1975ff040dfe6299e73e51b257fbd48dfc93a5f
SHA256b2b73f9991c8f13ec96cbd7524e50fc4ae3003fc62810ebc9c0b3f9c17008d35
SHA5126a385fabbc3d30434354162c5c8fad1e9632da1cc4a343e2bf560a3137a4333eb7a550705ad174a1f090473afcaeab3f60f2631ead31e93ae7bc6eabfe5410f3
-
Filesize
2.0MB
MD5950cc10960e45f6ca5de7fc895d0ca20
SHA186142fec987343c924e41ce017ea54f273e957e3
SHA2560fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
SHA512365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842
-
Filesize
2.0MB
MD5dd3b5d977fbb06900d8b19d063c4a549
SHA1309a9138524f1e290f55efdf3f17452eb56ca498
SHA25697b2f0c7d1592aa78a8f274109967988bfc2877e298b3c46ffd7eb2a91ec3f4a
SHA512963f1350f9be3afd7ccd56407f282151d614a313f022183fd41230f7a96fe2d44c4cec3be67ce1a5d2bcbe2555687a6fd8fce99a657e7b7141ac3ba4beab191d
-
Filesize
2.0MB
MD5c62afb7242088a843a949f8c53126e84
SHA13b1cfaceaa633ac8df515d86daf0e54b891e5060
SHA2562089c77b167efa027cbb49161369e738bb9b2cc30463f09603d498ed81609362
SHA5128a527efccb82bc16d71f0224c7832dc69f5e0712a38c1ceac6a372b3b547bef6ca6706fe6e46887f5b3fec06d48f416f16a664c93fe66dffd7ff67b7379ee88e
-
Filesize
195B
MD56730752e1024e0be184e01e3d8199c31
SHA134947f744ce132d6674cbb1d4d69ac9eaeda006d
SHA256042230818288fcbef4ff463a593fe577503a399fad9a232fca0758ca78e58b7f
SHA51263128df25604286339e90aa6b2d9967d7342170dad6e484e1d6e1234bcdb32943a3d94da01d5d439f92fc28fe961e748fef627cc939a9c3b377a10116f87c203
-
Filesize
2.0MB
MD573ec0b09bb36ce58d98041706ecd29e6
SHA1a3c7670a3c3003dae76eae178158511398d3a066
SHA256927a4edea8d4e957e0bf576f673faca273d4871253d65e92d1b796d7c497e017
SHA5122bf6ac0b7ecdc6c0e9201cc2314d79b6fc46c2214911af9f7823b64c52ad850bfdff2b1c65aae812371b86e65ca221b1bc02d525e2e81e97b02d3220db229829