Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 09:28
Behavioral task
behavioral1
Sample
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe
-
Size
829KB
-
MD5
d46e2f5007e8af971c34a17bafe544d0
-
SHA1
3fa71c422597d24af29bf942bc3e7dfba404f6dd
-
SHA256
eaa9a6674a2c49762574bd10294cfe737e37c7793f4c88d0ba3700db73e15b55
-
SHA512
03d1e1ec5cff82c2fe61732d08f98d5bb8c263c081008be1ecc1bd8d359787460762773034906a52e933daf25e0ac07f9a82a1f9721e2e824e354e90100e35ef
-
SSDEEP
12288:lCFCcYc/Cg2QGAtikngWn3IgPZA9H7id2naI+:l9cYc/IOikngWnYnH7id2ng
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 3044 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 3044 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/2980-1-0x00000000000C0000-0x0000000000196000-memory.dmp dcrat C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe dcrat behavioral1/memory/2120-23-0x0000000000800000-0x00000000008D6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
explorer.exepid process 2120 explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Windows NT\dllhost.exe d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\Windows NT\dllhost.exe d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows NT\5940a34987c991 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe -
Drops file in Windows directory 5 IoCs
Processes:
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File created C:\Windows\ServiceProfiles\NetworkService\Saved Games\6ccacd8608530f d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File created C:\Windows\en-US\services.exe d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File created C:\Windows\en-US\c5b4cb5e9653cc d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-touch.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f319a74fc4d8f054\smss.exe d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2480 schtasks.exe 2628 schtasks.exe 1176 schtasks.exe 392 schtasks.exe 2792 schtasks.exe 1580 schtasks.exe 2584 schtasks.exe 2616 schtasks.exe 2348 schtasks.exe 2696 schtasks.exe 1544 schtasks.exe 2688 schtasks.exe 2472 schtasks.exe 2736 schtasks.exe 2860 schtasks.exe 2524 schtasks.exe 2944 schtasks.exe 1204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exeexplorer.exepid process 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe 2120 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2120 explorer.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.execmd.exedescription pid process target process PID 2980 wrote to memory of 768 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe cmd.exe PID 2980 wrote to memory of 768 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe cmd.exe PID 2980 wrote to memory of 768 2980 d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe cmd.exe PID 768 wrote to memory of 1644 768 cmd.exe w32tm.exe PID 768 wrote to memory of 1644 768 cmd.exe w32tm.exe PID 768 wrote to memory of 1644 768 cmd.exe w32tm.exe PID 768 wrote to memory of 2120 768 cmd.exe explorer.exe PID 768 wrote to memory of 2120 768 cmd.exe explorer.exe PID 768 wrote to memory of 2120 768 cmd.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d46e2f5007e8af971c34a17bafe544d0_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YRXbn8bWta.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1644
-
C:\MSOCache\All Users\explorer.exe"C:\MSOCache\All Users\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\NetworkService\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5f5d0271849afd7f0222a2927e08bef80
SHA14abf7720fed8a9179b9edcc126e23553267b993a
SHA25633eaa64659238be32a299393bec1fdfcd614a02254c3e8401dfd9d8e75512470
SHA512d7fae90a1d9dc5b7eaa8580660a05815178dcb874129b6c5d1aa2953f729011cbeef80402042504662917011a73b5d7608acffc3078fdfd30df81f59db41b34b
-
Filesize
829KB
MD5d46e2f5007e8af971c34a17bafe544d0
SHA13fa71c422597d24af29bf942bc3e7dfba404f6dd
SHA256eaa9a6674a2c49762574bd10294cfe737e37c7793f4c88d0ba3700db73e15b55
SHA51203d1e1ec5cff82c2fe61732d08f98d5bb8c263c081008be1ecc1bd8d359787460762773034906a52e933daf25e0ac07f9a82a1f9721e2e824e354e90100e35ef