Analysis
-
max time kernel
140s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 08:09
Behavioral task
behavioral1
Sample
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe
-
Size
2.0MB
-
MD5
c4dd0b6efb900035ac550ea40274b180
-
SHA1
6b286cc85750702c1721a3f7eac27d7cc2548a2d
-
SHA256
cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
-
SHA512
b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7
-
SSDEEP
24576:Un2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:CaTUv0jmtEttc
Malware Config
Signatures
-
DcRat 41 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exec4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2524 schtasks.exe File created C:\Program Files (x86)\Common Files\System\de-DE\services.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\System\de-DE\c5b4cb5e9653cc c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2876 schtasks.exe 1072 schtasks.exe 1040 schtasks.exe 2804 schtasks.exe 2476 schtasks.exe 2184 schtasks.exe 4060 schtasks.exe 2256 schtasks.exe 4312 schtasks.exe 4848 schtasks.exe 644 schtasks.exe 2376 schtasks.exe 1408 schtasks.exe 4656 schtasks.exe 4080 schtasks.exe 4616 schtasks.exe 2424 schtasks.exe 1288 schtasks.exe 544 schtasks.exe 5080 schtasks.exe 2216 schtasks.exe 4472 schtasks.exe 3060 schtasks.exe 5060 schtasks.exe 1484 schtasks.exe 4148 schtasks.exe 4632 schtasks.exe 2436 schtasks.exe 224 schtasks.exe 2004 schtasks.exe 4780 schtasks.exe 952 schtasks.exe 1584 schtasks.exe 3496 schtasks.exe 3972 schtasks.exe 400 schtasks.exe 2920 schtasks.exe 4156 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 13 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\", \"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3496 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4848 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1288 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5080 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 4012 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 4012 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1344-1-0x0000000000AB0000-0x0000000000CBC000-memory.dmp dcrat C:\Recovery\WindowsRE\RuntimeBroker.exe dcrat C:\Users\Default\Links\backgroundTaskHost.exe dcrat C:\Recovery\WindowsRE\sysmon.exe dcrat C:\Recovery\WindowsRE\MusNotification.exe dcrat C:\Windows\Fonts\sppsvc.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 2404 StartMenuExperienceHost.exe -
Adds Run key to start application 2 TTPs 24 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\de-DE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Recovery\\WindowsRE\\MusNotification.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Common Files\\System\\de-DE\\services.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\Links\\backgroundTaskHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Portable Devices\\csrss.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\StartMenuExperienceHost.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics = "\"C:\\Program Files\\Microsoft Office\\root\\Licenses16\\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe\"" c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Drops file in Program Files directory 21 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\RCX5A0A.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5E33.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\csrss.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\RCX75E5.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\System\de-DE\services.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX6069.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\RCX7577.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCX5E53.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\RCX5A09.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCX6068.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Common Files\System\de-DE\c5b4cb5e9653cc c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\WindowsApps\MusNotification.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\55b276f4edf653 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Program Files\Microsoft Office\root\Licenses16\6521988ad37612 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Common Files\System\de-DE\services.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Drops file in Windows directory 10 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process File created C:\Windows\de-DE\RuntimeBroker.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\de-DE\9e8d7a4ca61bd9 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\RCX5C1E.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\RCX5C1F.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX715D.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\Fonts\sppsvc.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File created C:\Windows\Fonts\0a1fd5f707cd16 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\de-DE\RuntimeBroker.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\RCX70DF.tmp c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\sppsvc.exe c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 544 schtasks.exe 2804 schtasks.exe 2436 schtasks.exe 1288 schtasks.exe 952 schtasks.exe 4060 schtasks.exe 2004 schtasks.exe 4780 schtasks.exe 2376 schtasks.exe 4148 schtasks.exe 1408 schtasks.exe 3496 schtasks.exe 2256 schtasks.exe 2476 schtasks.exe 1072 schtasks.exe 4312 schtasks.exe 2920 schtasks.exe 5060 schtasks.exe 4472 schtasks.exe 4156 schtasks.exe 4616 schtasks.exe 644 schtasks.exe 2184 schtasks.exe 1484 schtasks.exe 224 schtasks.exe 3060 schtasks.exe 3972 schtasks.exe 4848 schtasks.exe 2876 schtasks.exe 4080 schtasks.exe 5080 schtasks.exe 400 schtasks.exe 2524 schtasks.exe 4632 schtasks.exe 1040 schtasks.exe 4656 schtasks.exe 1584 schtasks.exe 2424 schtasks.exe 2216 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeStartMenuExperienceHost.exepid process 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe 2404 StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exeStartMenuExperienceHost.exedescription pid process Token: SeDebugPrivilege 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe Token: SeDebugPrivilege 2404 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exedescription pid process target process PID 1344 wrote to memory of 2404 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe StartMenuExperienceHost.exe PID 1344 wrote to memory of 2404 1344 c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe StartMenuExperienceHost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\de-DE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "c4dd0b6efb900035ac550ea40274b180_NeikiAnalyticsc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\c4dd0b6efb900035ac550ea40274b180_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a93132578e9b8915307decbf1153448a
SHA1ccd71f504fe5ac99bc12408421adb25a61113b37
SHA256596a0aa54a9ca84cd4c30b278dc1c19228939f59c1dc8c42d9b53116ca774703
SHA51249de145eb6f348832869035070e94833090a8aced0154eba199129668cc00949f053f979fad44e33060722e14dc4138fd95a013b73e77c5766b035eb533a028b
-
Filesize
2.0MB
MD5c4dd0b6efb900035ac550ea40274b180
SHA16b286cc85750702c1721a3f7eac27d7cc2548a2d
SHA256cd2c3823df758fbfab481d70c7aa63a3252300e6527893fccc99b888acfbda40
SHA512b26fe5a9067f40e484add6ea5668bd6879e4cedba3935b0f3f3a848cb318cab4f7323dc06978851f261c48a5923fe2e78da94c3f4c0cf9a010556b17762ce6f7
-
Filesize
2.0MB
MD5170a317c16c0d8f8af302b7a82f71bd4
SHA1fef39d2afa797e57f4d46e0bcde59f3f502d0f29
SHA256345acd1f84c9136c5f8896f8455b6d31ba76e5ccef27ae2c338aff42c73cda45
SHA5129102468e54d2e4c0140664c338bcaa840436f9d9cfbc089d61819fdb6ea7e472c9bbc75f82fb3f62c4db565ced268bcc82fd7a6ec6bb803f0392f75c0f0f51c4
-
Filesize
2.0MB
MD5d1510a4ffa9be375064dad2f24f426a3
SHA1b2ec5561b60f3629e132aff288901a0760708fcb
SHA2569949d40be05ada382442b8741e866669cdf426abb1d618c11e7a49305f08c63f
SHA512bd99358d9d51554923ec65a4e28940ff94748b35e6ed8dd4de57341a6b6b2e1987cc1d267c41fee805817fc93b86f5d714c29544de931ff3261f49dae2f17b99
-
Filesize
2.0MB
MD564c128e2defbbeeec3488f5b2b1350f7
SHA1cbd22f6e4156cdb43fef28b819f0b5adf18340ed
SHA25635ecec2dadd137d0cd9a96d14a851ad51e8d0da7d9145b91338ed36f185d391e
SHA5126872f74c82abcaa87fa67a226cc89a5e192a234eac0b73cff12e06d1fb6ec44fd452dd593f5066d0e0afeae43ab0935543612ce4980cc8d7e89ce7b520924ca1