Malware Analysis Report

2024-11-13 13:43

Sample ID 240516-qe63taec4s
Target e006d21af325e490696eac189d6fe9f0_NeikiAnalytics
SHA256 0cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0

Threat Level: Known bad

The file e006d21af325e490696eac189d6fe9f0_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 13:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 13:11

Reported

2024-05-16 13:14

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\System\ja-JP\System.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\csrss.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\csrss.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Program Files\DVD Maker\Shared\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\System.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\System\ja-JP\System.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\System\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f

C:\Program Files\Common Files\System\ja-JP\System.exe

"C:\Program Files\Common Files\System\ja-JP\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0943092.xsph.ru udp
RU 141.8.192.217:80 a0943092.xsph.ru tcp

Files

memory/2180-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

memory/2180-1-0x00000000013B0000-0x0000000001486000-memory.dmp

memory/2180-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

C:\Program Files\Common Files\System\ja-JP\System.exe

MD5 e006d21af325e490696eac189d6fe9f0
SHA1 cce2f3a4a2cc3b6ab5161201639dcdd853b8f5ca
SHA256 0cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0
SHA512 933df81a32489d40da8840abc0aaa606598d35b289dbca69ba465499745feaa1a7d05c50d4dccd63d498b84d8378e34575f611c1fd18a801ca36c07619d79811

memory/2176-18-0x0000000000960000-0x0000000000A36000-memory.dmp

memory/2180-17-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 13:11

Reported

2024-05-16 13:14

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\ShellComponents\SearchApp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\lsass.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Google\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellComponents\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Windows\ShellComponents\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
File created C:\Windows\bcastdvr\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\ShellComponents\SearchApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ShellComponents\SearchApp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e006d21af325e490696eac189d6fe9f0_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\ShellComponents\SearchApp.exe

"C:\Windows\ShellComponents\SearchApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 a0943092.xsph.ru udp
RU 141.8.192.217:80 a0943092.xsph.ru tcp
US 8.8.8.8:53 217.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4272-0-0x00007FF9F4E93000-0x00007FF9F4E95000-memory.dmp

memory/4272-1-0x0000000000310000-0x00000000003E6000-memory.dmp

memory/4272-2-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp

C:\Windows\bcastdvr\backgroundTaskHost.exe

MD5 e006d21af325e490696eac189d6fe9f0
SHA1 cce2f3a4a2cc3b6ab5161201639dcdd853b8f5ca
SHA256 0cc2a158f676462d631f265f149ef0f1fe1f698e0487877d3e7c17a07c52dcd0
SHA512 933df81a32489d40da8840abc0aaa606598d35b289dbca69ba465499745feaa1a7d05c50d4dccd63d498b84d8378e34575f611c1fd18a801ca36c07619d79811

memory/4272-18-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat

MD5 feec6a6187d9de329b5ed07baf064c6d
SHA1 b49724ac33718f3f362caee97f3efed86e28050c
SHA256 0dcf85f0c2c6ce36c71d002a4a33a9765403e0e66795aff48085683a1c8d2b21
SHA512 6f174467689066fb265ef10282d21e6e12aef5a6400e719267307038c5831759819700f2d12b089fa95902ee8cf1ddb2dc4f9580b2da2bafa96ccdd3e2b80c0f