dcrat | e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

General

Target

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Size

1.7MB
MD5

a043d8deaf4cb618bcd1973d06c8c670
SHA1

9f0644411da819485df9bc1f0e23eb6b65ea15af
SHA256

e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d
SHA512

2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843
SSDEEP

49152:397qdNJl6WBNgk7OM+l8eW7ILtQmgMvp:39QCkiM+KILGXa

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	2192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2192	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sihost.exea043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4480-1-0x00000000007D0000-0x0000000000986000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

532 sihost.exe

pid	process
532	sihost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 ipinfo.io
32 ipinfo.io

flow	ioc
31	ipinfo.io
32	ipinfo.io

Drops file in Program Files directory 21 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\ea9f0e6c9e2dcd	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Registry.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\taskhostw.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\6cb0b6c459d5d3	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\smss.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\55b276f4edf653	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\taskhostw.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\Registry.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\66fc9ff0ee96c2	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\69ddcba757bf72	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\smss.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\ee2ad38f3d4382	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\6203df4a6bafc7	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

Drops file in Windows directory 6 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\Fonts\TextInputHost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\Fonts\22eafd247d37c3	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\schemas\AvailableNetwork\fontdrvhost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File created	C:\Windows\schemas\AvailableNetwork\5b884080fd4f94	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Windows\Fonts\TextInputHost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
File opened for modification	C:\Windows\schemas\AvailableNetwork\fontdrvhost.exe	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
760	schtasks.exe
4264	schtasks.exe
772	schtasks.exe
4384	schtasks.exe
2288	schtasks.exe
3496	schtasks.exe
4948	schtasks.exe
5028	schtasks.exe
532	schtasks.exe
4968	schtasks.exe
2960	schtasks.exe
1796	schtasks.exe
4736	schtasks.exe
1800	schtasks.exe
996	schtasks.exe
2492	schtasks.exe
4880	schtasks.exe
4972	schtasks.exe
1660	schtasks.exe
2580	schtasks.exe
2636	schtasks.exe
408	schtasks.exe
3776	schtasks.exe
672	schtasks.exe
4580	schtasks.exe
3160	schtasks.exe
1532	schtasks.exe
4084	schtasks.exe
3832	schtasks.exe
2880	schtasks.exe
4060	schtasks.exe
2476	schtasks.exe
3840	schtasks.exe
4592	schtasks.exe
1264	schtasks.exe
2000	schtasks.exe
1524	schtasks.exe
1904	schtasks.exe
4516	schtasks.exe
376	schtasks.exe
3852	schtasks.exe
4300	schtasks.exe
3800	schtasks.exe
2128	schtasks.exe
1676	schtasks.exe

Modifies registry class 2 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

pid	process
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe
532	sihost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sihost.exe

pid process

532 sihost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description pid process

Token: SeDebugPrivilege 4480 a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Token: SeDebugPrivilege 532 sihost.exe

pid	process
532	sihost.exe

description	pid	process
Token: SeDebugPrivilege	4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Token: SeDebugPrivilege	532	sihost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description	pid	process	target process
PID 4480 wrote to memory of 532	4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	sihost.exe
PID 4480 wrote to memory of 532	4480	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe	sihost.exe
PID 532 wrote to memory of 4988	532	sihost.exe	WScript.exe
PID 532 wrote to memory of 4988	532	sihost.exe	WScript.exe
PID 532 wrote to memory of 4972	532	sihost.exe	WScript.exe
PID 532 wrote to memory of 4972	532	sihost.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exesihost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a043d8deaf4cb618bcd1973d06c8c670_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4480

C:\Users\Default\Pictures\sihost.exe
"C:\Users\Default\Pictures\sihost.exe"
2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c80e02c-ac4d-497e-b6b4-7ba09df8575f.vbs"
3⤵
PID:4988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01fe882-7014-488a-961b-9bc642859dee.vbs"
3⤵
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Fonts\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\AvailableNetwork\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\AvailableNetwork\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\dwm.exe
Filesize
1.7MB

MD5
a043d8deaf4cb618bcd1973d06c8c670

SHA1
9f0644411da819485df9bc1f0e23eb6b65ea15af

SHA256
e659c778f5a724d4a05b742397966e8d9db42366225f826361e0279c1f30af9d

SHA512
2808f2914cc69f7d0ab994c17719c1df821bf8dc6883da4a8b728ee8e21796c5d26f4968dca08da44d344381fd725c5cfb363c77966a03e490b3e693eca37843

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c80e02c-ac4d-497e-b6b4-7ba09df8575f.vbs
Filesize
711B

MD5
79230e18068fd3284a5515d9ad4c9060

SHA1
c62d6edb03ada9e99e46a65bcfc38531a4adaa70

SHA256
81e769fe6165e10af9815f73b7822423a7e6143bd28b662e3492a8b1bab16a29

SHA512
f57deefed21ed465effe686097b68d55af313c4acb74f292c0307c3f3546c7f0910a416a9fcf7cb41ae5bf2217c5208445ec4fa2de1d4e2cf992828dff76682c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e01fe882-7014-488a-961b-9bc642859dee.vbs
Filesize
488B

MD5
ae6c69dfe50f27ab431d2d26627c1517

SHA1
981cf808678e570e839fc01355f26332a8241610

SHA256
5b40411c945886f61287da98971b037b8afee4c121499840b9dfd5048d716e2e

SHA512
3d02acd5a9ccb8e4a675a895bd82fceb357801514267e0673d361924a3ad3997a1b47e1a4b34e1dc19f87e8bfab4ebaa48558dce31e759f514ca057532d41696

Download Submit
memory/4480-14-0x000000001C1A0000-0x000000001C6C8000-memory.dmp

Filesize
5.2MB

Download
memory/4480-17-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/4480-5-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4480-8-0x000000001B5E0000-0x000000001B5EA000-memory.dmp

Filesize
40KB

Download
memory/4480-7-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/4480-4-0x0000000002A20000-0x0000000002A28000-memory.dmp

Filesize
32KB

Download
memory/4480-9-0x000000001BC00000-0x000000001BC0C000-memory.dmp

Filesize
48KB

Download
memory/4480-10-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/4480-11-0x000000001BC20000-0x000000001BC2C000-memory.dmp

Filesize
48KB

Download
memory/4480-12-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/4480-13-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/4480-0-0x00007FF841E03000-0x00007FF841E05000-memory.dmp

Filesize
8KB

Download
memory/4480-15-0x000000001BC70000-0x000000001BC7C000-memory.dmp

Filesize
48KB

Download
memory/4480-6-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/4480-16-0x000000001BC80000-0x000000001BC88000-memory.dmp

Filesize
32KB

Download
memory/4480-18-0x000000001BCA0000-0x000000001BCAC000-memory.dmp

Filesize
48KB

Download
memory/4480-20-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/4480-19-0x000000001BDB0000-0x000000001BDB8000-memory.dmp

Filesize
32KB

Download
memory/4480-23-0x000000001BEF0000-0x000000001BEFC000-memory.dmp

Filesize
48KB

Download
memory/4480-22-0x000000001BEE0000-0x000000001BEEE000-memory.dmp

Filesize
56KB

Download
memory/4480-21-0x000000001BDD0000-0x000000001BDDA000-memory.dmp

Filesize
40KB

Download
memory/4480-24-0x000000001BF00000-0x000000001BF08000-memory.dmp

Filesize
32KB

Download
memory/4480-26-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/4480-25-0x000000001BF10000-0x000000001BF1A000-memory.dmp

Filesize
40KB

Download
memory/4480-3-0x0000000002A00000-0x0000000002A0E000-memory.dmp

Filesize
56KB

Download
memory/4480-131-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download
memory/4480-2-0x00007FF841E00000-0x00007FF8428C1000-memory.dmp

Filesize
10.8MB

Download
memory/4480-1-0x00000000007D0000-0x0000000000986000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads