Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 13:11
Behavioral task
behavioral1
Sample
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe
-
Size
828KB
-
MD5
e006d21af325e490696eac189d6fe9f0
-
SHA1
cce2f3a4a2cc3b6ab5161201639dcdd853b8f5ca
-
SHA256
0cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0
-
SHA512
933df81a32489d40da8840abc0aaa606598d35b289dbca69ba465499745feaa1a7d05c50d4dccd63d498b84d8378e34575f611c1fd18a801ca36c07619d79811
-
SSDEEP
12288:ooQUC/VdATqagGCW4TXQ3fPND877TIYCHUO+/biBHuZ/TMib+hV:E//PATqoCW4jYlK7k/StY++hV
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3232 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3924 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4820 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4812 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 656 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1704 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 1704 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4272-1-0x0000000000310000-0x00000000003E6000-memory.dmp dcrat C:\Windows\bcastdvr\backgroundTaskHost.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
SearchApp.exepid process 780 SearchApp.exe -
Drops file in Program Files directory 2 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\Google\lsass.exe e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe File created C:\Program Files (x86)\Google\6203df4a6bafc7 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exedescription ioc process File created C:\Windows\ShellComponents\SearchApp.exe e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe File created C:\Windows\ShellComponents\38384e6a620884 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe File created C:\Windows\bcastdvr\backgroundTaskHost.exe e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe File created C:\Windows\bcastdvr\eddb19405b7ce1 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3164 schtasks.exe 4840 schtasks.exe 2984 schtasks.exe 3232 schtasks.exe 656 schtasks.exe 3984 schtasks.exe 3972 schtasks.exe 4744 schtasks.exe 1160 schtasks.exe 4820 schtasks.exe 3924 schtasks.exe 4812 schtasks.exe 1904 schtasks.exe 2640 schtasks.exe 3916 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exeSearchApp.exepid process 4272 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe 780 SearchApp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 4272 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe Token: SeDebugPrivilege 780 SearchApp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.execmd.exedescription pid process target process PID 4272 wrote to memory of 2940 4272 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe cmd.exe PID 4272 wrote to memory of 2940 4272 e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe cmd.exe PID 2940 wrote to memory of 4004 2940 cmd.exe w32tm.exe PID 2940 wrote to memory of 4004 2940 cmd.exe w32tm.exe PID 2940 wrote to memory of 780 2940 cmd.exe SearchApp.exe PID 2940 wrote to memory of 780 2940 cmd.exe SearchApp.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:4004
-
C:\Windows\ShellComponents\SearchApp.exe"C:\Windows\ShellComponents\SearchApp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205B
MD5feec6a6187d9de329b5ed07baf064c6d
SHA1b49724ac33718f3f362caee97f3efed86e28050c
SHA2560dcf85f0c2c6ce36c71d002a4a33a9765403e0e66795aff48085683a1c8d2b21
SHA5126f174467689066fb265ef10282d21e6e12aef5a6400e719267307038c5831759819700f2d12b089fa95902ee8cf1ddb2dc4f9580b2da2bafa96ccdd3e2b80c0f
-
Filesize
828KB
MD5e006d21af325e490696eac189d6fe9f0
SHA1cce2f3a4a2cc3b6ab5161201639dcdd853b8f5ca
SHA2560cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0
SHA512933df81a32489d40da8840abc0aaa606598d35b289dbca69ba465499745feaa1a7d05c50d4dccd63d498b84d8378e34575f611c1fd18a801ca36c07619d79811