Malware Analysis Report

2024-11-13 13:43

Sample ID 240516-esed6sbg42
Target 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics
SHA256 0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327

Threat Level: Known bad

The file 950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DcRat

DCRat payload

Modifies WinLogon for persistence

Process spawned unexpected child process

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 04:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 04:11

Reported

2024-05-16 04:14

Platform

win7-20240508-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\MSBuild\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Program Files\\MSBuild\\sppsvc.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Default\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\MSBuild\sppsvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default\\taskhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\MSBuild\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MSBuild\RCX29F9.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files\MSBuild\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\MSBuild\RCX29F8.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\lsass.exe'" /rl HIGHEST /f

C:\Program Files\MSBuild\sppsvc.exe

"C:\Program Files\MSBuild\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp

Files

memory/1700-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

memory/1700-1-0x00000000013E0000-0x00000000015EC000-memory.dmp

memory/1700-2-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

memory/1700-3-0x0000000000330000-0x000000000034C000-memory.dmp

memory/1700-5-0x0000000000570000-0x0000000000580000-memory.dmp

memory/1700-4-0x0000000000350000-0x0000000000358000-memory.dmp

memory/1700-6-0x0000000000700000-0x0000000000716000-memory.dmp

memory/1700-7-0x0000000000A90000-0x0000000000AE6000-memory.dmp

memory/1700-8-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

memory/1700-9-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

memory/1700-10-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/1700-11-0x0000000000B10000-0x0000000000B1E000-memory.dmp

memory/1700-12-0x0000000000B20000-0x0000000000B2E000-memory.dmp

memory/1700-13-0x0000000000B30000-0x0000000000B3A000-memory.dmp

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe

MD5 950cc10960e45f6ca5de7fc895d0ca20
SHA1 86142fec987343c924e41ce017ea54f273e957e3
SHA256 0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
SHA512 365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe

MD5 022c41189d20c106d944f8443b0c3af0
SHA1 398c7125b5fe3c4fe797f60b110e09b80f7f400e
SHA256 2041e5eb4dea7d80ac46456c14409b8928705527b34a631db0da47e94ad80b96
SHA512 4678aca97fa9b9cf59ad64ae55ad6d6a1c967a0f9179ac07f1a73e1292cd47ed6a4078619a0217419087826cf6cc476c9d48f459054b2ac3b67ada2b139d62df

memory/1700-112-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

memory/1640-113-0x0000000000B00000-0x0000000000D0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 04:11

Reported

2024-05-16 04:14

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Performance\dwm.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Performance\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Performance\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\", \"C:\\Windows\\Downloaded Program Files\\dllhost.exe\", \"C:\\Program Files\\WindowsPowerShell\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Performance\dwm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Downloaded Program Files\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft\\Temp\\lsass.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Microsoft.NET\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\WindowsPowerShell\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Performance\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Temp\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX40A9.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\wininit.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\wininit.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX3E36.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\lsass.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX40AA.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX46C9.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\56085415360792 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\RCX3EA4.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Temp\lsass.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCX44C4.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\RCX44C5.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX46CA.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Performance\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\rescache\Registry.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\dllhost.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\Performance\dwm.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\WinSxS\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\RCX3C20.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\RCX3C21.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\dllhost.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\Downloaded Program Files\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File created C:\Windows\OCR\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCX42BF.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Performance\dwm.exe C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\RCX42BE.tmp C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\dwm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\950cc10960e45f6ca5de7fc895d0ca20_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4gxnF4du6m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Performance\dwm.exe

"C:\Windows\Performance\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 242.83.221.88.in-addr.arpa udp
BE 88.221.83.242:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 dcrat.jorikbz3.beget.tech udp
US 8.8.8.8:53 jorikbz3.beget.tech udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2108-0-0x00007FFD4E233000-0x00007FFD4E235000-memory.dmp

memory/2108-1-0x0000000000990000-0x0000000000B9C000-memory.dmp

memory/2108-2-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

memory/2108-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

memory/2108-6-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

memory/2108-5-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

memory/2108-4-0x000000001B760000-0x000000001B7B0000-memory.dmp

memory/2108-8-0x000000001B700000-0x000000001B756000-memory.dmp

memory/2108-7-0x0000000002CF0000-0x0000000002D06000-memory.dmp

memory/2108-9-0x0000000002D10000-0x0000000002D1C000-memory.dmp

memory/2108-10-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

memory/2108-12-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

memory/2108-11-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

memory/2108-13-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

memory/2108-14-0x000000001B7F0000-0x000000001B7FA000-memory.dmp

C:\Program Files\WindowsPowerShell\wininit.exe

MD5 950cc10960e45f6ca5de7fc895d0ca20
SHA1 86142fec987343c924e41ce017ea54f273e957e3
SHA256 0fd03b00a1060de7edd34a33ef0bb0c4e0d8be7c04af641a3266863279c2f327
SHA512 365bf7c7c2515c5ee75175f0c794ed0be4d35af8f6462ce4074027720b50fa6882122de7df772a3e1b9c673a2790d93f3a6474ab80c533c7cd97c3f3e6efa842

C:\Program Files (x86)\Microsoft\Temp\lsass.exe

MD5 6577bf4c9c46397f03b59cd0bd2de31f
SHA1 a1975ff040dfe6299e73e51b257fbd48dfc93a5f
SHA256 b2b73f9991c8f13ec96cbd7524e50fc4ae3003fc62810ebc9c0b3f9c17008d35
SHA512 6a385fabbc3d30434354162c5c8fad1e9632da1cc4a343e2bf560a3137a4333eb7a550705ad174a1f090473afcaeab3f60f2631ead31e93ae7bc6eabfe5410f3

C:\Recovery\WindowsRE\explorer.exe

MD5 c62afb7242088a843a949f8c53126e84
SHA1 3b1cfaceaa633ac8df515d86daf0e54b891e5060
SHA256 2089c77b167efa027cbb49161369e738bb9b2cc30463f09603d498ed81609362
SHA512 8a527efccb82bc16d71f0224c7832dc69f5e0712a38c1ceac6a372b3b547bef6ca6706fe6e46887f5b3fec06d48f416f16a664c93fe66dffd7ff67b7379ee88e

C:\Recovery\WindowsRE\dllhost.exe

MD5 dd3b5d977fbb06900d8b19d063c4a549
SHA1 309a9138524f1e290f55efdf3f17452eb56ca498
SHA256 97b2f0c7d1592aa78a8f274109967988bfc2877e298b3c46ffd7eb2a91ec3f4a
SHA512 963f1350f9be3afd7ccd56407f282151d614a313f022183fd41230f7a96fe2d44c4cec3be67ce1a5d2bcbe2555687a6fd8fce99a657e7b7141ac3ba4beab191d

C:\Users\Default\winlogon.exe

MD5 73ec0b09bb36ce58d98041706ecd29e6
SHA1 a3c7670a3c3003dae76eae178158511398d3a066
SHA256 927a4edea8d4e957e0bf576f673faca273d4871253d65e92d1b796d7c497e017
SHA512 2bf6ac0b7ecdc6c0e9201cc2314d79b6fc46c2214911af9f7823b64c52ad850bfdff2b1c65aae812371b86e65ca221b1bc02d525e2e81e97b02d3220db229829

memory/2108-162-0x00007FFD4E230000-0x00007FFD4ECF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4gxnF4du6m.bat

MD5 6730752e1024e0be184e01e3d8199c31
SHA1 34947f744ce132d6674cbb1d4d69ac9eaeda006d
SHA256 042230818288fcbef4ff463a593fe577503a399fad9a232fca0758ca78e58b7f
SHA512 63128df25604286339e90aa6b2d9967d7342170dad6e484e1d6e1234bcdb32943a3d94da01d5d439f92fc28fe961e748fef627cc939a9c3b377a10116f87c203

memory/432-167-0x0000000001F40000-0x0000000001F96000-memory.dmp