Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 08:09
Behavioral task
behavioral1
Sample
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
c4dd0b6efb900035ac550ea40274b180
-
SHA1
6b286cc85750702c1721a3f7eac27d7cc2548a2d
-
SHA256
cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
-
SHA512
b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7
-
SSDEEP
24576:Un2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:CaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 50 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exec4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1484 schtasks.exe File created C:\Windows\rescache\rc0005\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2788 schtasks.exe 1308 schtasks.exe 2360 schtasks.exe 2988 schtasks.exe 772 schtasks.exe 2740 schtasks.exe 2984 schtasks.exe 316 schtasks.exe 1556 schtasks.exe 2548 schtasks.exe 1080 schtasks.exe 684 schtasks.exe 2808 schtasks.exe 292 schtasks.exe 1908 schtasks.exe 2552 schtasks.exe 1232 schtasks.exe 1972 schtasks.exe 2652 schtasks.exe 1296 schtasks.exe 2932 schtasks.exe 2544 schtasks.exe 1560 schtasks.exe 484 schtasks.exe 1312 schtasks.exe 2952 schtasks.exe 556 schtasks.exe 1856 schtasks.exe 284 schtasks.exe 1264 schtasks.exe 2308 schtasks.exe 2764 schtasks.exe 2240 schtasks.exe 636 schtasks.exe 3040 schtasks.exe 2512 schtasks.exe 2584 schtasks.exe 1056 schtasks.exe 2016 schtasks.exe 296 schtasks.exe 1492 schtasks.exe 940 schtasks.exe 2232 schtasks.exe 2820 schtasks.exe 2000 schtasks.exe 3044 schtasks.exe 2720 schtasks.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Modifies WinLogon for persistence 2 TTPs 16 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Windows\\it-IT\\smss.exe\", \"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\", \"C:\\Users\\Default\\NetHood\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\", \"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Program Files\\MSBuild\\dwm.exe\", \"C:\\Windows\\inf\\es-ES\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1056 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 296 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 684 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2040 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2040 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2420-1-0x00000000012B0000-0x00000000014BC000-memory.dmp dcrat C:\Users\Public\Videos\Sample Videos\csrss.exe dcrat C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe dcrat C:\Users\Public\Videos\Sample Videos\csrss.exe dcrat C:\Windows\it-IT\smss.exe dcrat C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\csrss.exe dcrat behavioral1/memory/2292-234-0x0000000001030000-0x000000000123C000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 2292 explorer.exe -
Adds Run key to start application 2 TTPs 30 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\it-IT\\smss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\dwm.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\it-IT\\smss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\Local Settings\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\taskhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\inf\\es-ES\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\NetHood\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\NetHood\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\spoolsv.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\MSBuild\\dwm.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Mozilla Firefox\\gmp-clearkey\\0.1\\winlogon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Uninstall Information\\wininit.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Drops file in Program Files directory 25 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process File opened for modification C:\Program Files (x86)\Uninstall Information\RCX38A6.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\wininit.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX3006.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\MSBuild\6cb0b6c459d5d3 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\cc11b995f2a76d c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\RCX2B90.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\RCX3007.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Uninstall Information\56085415360792 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\RCX2B8F.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX349D.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX38A7.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\MSBuild\dwm.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Defender\it-IT\6521988ad37612 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1FA4.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f3b6ecef712a24 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX349C.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX1FA3.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\MSBuild\dwm.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Uninstall Information\wininit.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Drops file in Windows directory 11 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\inf\es-ES\RCX2E02.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RCX320B.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\smss.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\rescache\rc0005\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\inf\es-ES\RCX2E01.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\it-IT\smss.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\it-IT\69ddcba757bf72 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\inf\es-ES\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\it-IT\RCX3279.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\inf\es-ES\winlogon.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\inf\es-ES\cc11b995f2a76d c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1056 schtasks.exe 292 schtasks.exe 1484 schtasks.exe 772 schtasks.exe 2360 schtasks.exe 316 schtasks.exe 296 schtasks.exe 2988 schtasks.exe 1492 schtasks.exe 1972 schtasks.exe 2652 schtasks.exe 1296 schtasks.exe 2308 schtasks.exe 1908 schtasks.exe 1856 schtasks.exe 3040 schtasks.exe 2788 schtasks.exe 2552 schtasks.exe 2584 schtasks.exe 2952 schtasks.exe 2016 schtasks.exe 1308 schtasks.exe 484 schtasks.exe 2984 schtasks.exe 2240 schtasks.exe 1232 schtasks.exe 636 schtasks.exe 556 schtasks.exe 2544 schtasks.exe 2820 schtasks.exe 2232 schtasks.exe 1556 schtasks.exe 940 schtasks.exe 2740 schtasks.exe 284 schtasks.exe 1264 schtasks.exe 2000 schtasks.exe 2548 schtasks.exe 3044 schtasks.exe 1080 schtasks.exe 684 schtasks.exe 2720 schtasks.exe 2764 schtasks.exe 2512 schtasks.exe 2808 schtasks.exe 2932 schtasks.exe 1560 schtasks.exe 1312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeexplorer.exepid process 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2292 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Token: SeDebugPrivilege 2292 explorer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription pid process target process PID 2420 wrote to memory of 2292 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe explorer.exe PID 2420 wrote to memory of 2292 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe explorer.exe PID 2420 wrote to memory of 2292 2420 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe"C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\es-ES\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD50ec289702082e9950bd93759aef96586
SHA1ab1ec5f52a6f48084798c65797bb046896d0325b
SHA25649aa78bd1d54833904cd7d6ce70edb3454a76d0495487bdaebb7566bec40c7c5
SHA512e92123d066669aba11292980a2e80d5914b18aafef4f83c0cbf64c523d356c2dd69c110bc7b0572a8110b0c015deebe54a2950fb5cfcb7778184e08711ca64b8
-
Filesize
2.0MB
MD5f0b47eaccc1bf880672a14d3fefbd39d
SHA14af307e39e5d775e09e2ab7bae90eec204025d52
SHA256b6af629f87b39e767dc9dc9b061a3365a5a465704cf8d8455119268ae332d869
SHA51243784c4ddb0394525e1a1cadda1a41de45ac9a5e438d81bbbd8eaa696015ceb45f8f67845a5571b18bbb60d761fd067eebe8ba67d7b4879a6f201ecf9908720f
-
Filesize
2.0MB
MD5c4dd0b6efb900035ac550ea40274b180
SHA16b286cc85750702c1721a3f7eac27d7cc2548a2d
SHA256cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
SHA512b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7
-
Filesize
2.0MB
MD57d5c8616ccf2a54cf520d9234d1251f8
SHA1ca1233e619e4872f6061dc5a83ec00de9bb46a9e
SHA256b7780878408494df4d4b1bea1c26e421a3b55cf4c028a65375ddfa6642c09ceb
SHA512abcc22ba3827b5dae8aa2f873e2a2616c3acba8b0f243a1d06010a3523c11060f206d67c7d13a17c8825d5e4f30126eedbb3aa7597e66c7563c15bd414600839
-
Filesize
2.0MB
MD557fbbc5da63490b3873b30c8b10a82e9
SHA11b01bd5ebc83867e93e96da5664adb328dbd5b55
SHA256138c1d6195e13b7ea2f3e97eb4988c29f444346d55e88bc5c6ee4bb2fc56c6cd
SHA512d8a94f8042d31644ccb37c337878e4f31e3ef9e833e025bcfd6da7f9bd69a3b075542dcc59e9d5bd3c6bd20dcb1af7286f71dbf20a6f4c97e59907fe5aea7c9f