Malware Analysis Report

2024-10-10 12:51

Sample ID 240601-ctmqtsfc72
Target 89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe
SHA256 22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d

Threat Level: Known bad

The file 89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

Dcrat family

Process spawned unexpected child process

Modifies WinLogon for persistence

DcRat

UAC bypass

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:22

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:22

Reported

2024-06-01 02:24

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\", \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\sppsvc.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\", \"C:\\MSOCache\\All Users\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\", \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\", \"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\", \"C:\\Users\\Default\\Recent\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Office\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Office\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Recent\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Recent\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Portable Devices\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\Installer\\{90140000-006E-0409-0000-0000000FF1CE}\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft Help\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\explorer.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\explorer.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Office\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Windows\Boot\Fonts\winlogon.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\audiodg.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
N/A N/A C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\taxgl12Zjm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe

"C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\services.exe"

Network

Country Destination Domain Proto
RU 62.109.27.103:80 tcp
RU 62.109.27.103:80 tcp

Files

memory/2556-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

memory/2556-1-0x00000000003B0000-0x0000000000550000-memory.dmp

memory/2556-2-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/2556-3-0x0000000000670000-0x000000000068C000-memory.dmp

memory/2556-4-0x0000000000690000-0x00000000006A6000-memory.dmp

memory/2556-5-0x0000000000850000-0x0000000000862000-memory.dmp

memory/2556-6-0x0000000000870000-0x0000000000880000-memory.dmp

memory/2556-7-0x0000000000860000-0x000000000086A000-memory.dmp

memory/2556-8-0x0000000000880000-0x000000000088C000-memory.dmp

memory/2556-9-0x0000000002010000-0x000000000201C000-memory.dmp

memory/2556-10-0x0000000002020000-0x0000000002028000-memory.dmp

memory/2556-11-0x0000000002030000-0x000000000203C000-memory.dmp

memory/2556-12-0x00000000020C0000-0x00000000020CE000-memory.dmp

memory/2556-13-0x00000000020D0000-0x00000000020DC000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe

MD5 89d45d766eb2694ff45cd58044964870
SHA1 d086a6a9d539e041dd96e8cb61d0404e15c68735
SHA256 22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d
SHA512 055eb1dbb68b5f7948f8b11a7c310f4aa9691f5668b62fd72522ac20ad58efa172aeadedc0766e709846660c2a18402175de91b0775f5ea4fe0167d9434287b0

C:\Users\Admin\AppData\Local\Temp\taxgl12Zjm.bat

MD5 1ca4eb901a43bf8a2535f013613151a8
SHA1 abf219e55c56fba341fc1780af012ad69ce0c428
SHA256 8db464f9c04185e3ec476e56d2010e071a630006b6dca2b63b8ceadf1f3d3db2
SHA512 5b96a87ca8690c2cd7703af7ca48132180f7a810a133d317ffe0d4ab51e89c20d662d8176e5b4b2167710838b8bc91ed457f64bb57a59c50d6f6612fdca04bc9

memory/2556-47-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

memory/1752-50-0x0000000000F90000-0x0000000001130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 02:22

Reported

2024-06-01 02:24

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\", \"C:\\Program Files\\Java\\jre8\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Users\\Admin\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\", \"C:\\Program Files\\Java\\jre8\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\", \"C:\\Users\\Admin\\msedge.exe\", \"C:\\Windows\\Panther\\actionqueue\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\", \"C:\\Program Files\\Java\\jre8\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\", \"C:\\Program Files\\Java\\jre8\\Registry.exe\", \"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Panther\actionqueue\upfc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\89d45d766eb2694ff45cd58044964870_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\89d45d766eb2694ff45cd58044964870_NeikiAnalytics = "\"C:\\Program Files (x86)\\Windows Media Player\\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Admin\\msedge.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Java\\jre8\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Java\\jre8\\Registry.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\WindowsPowerShell\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Panther\\actionqueue\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Panther\\actionqueue\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Media Player\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\24232b39907860 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\Registry.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre8\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files\WindowsPowerShell\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Media Player\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Panther\actionqueue\upfc.exe C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
File created C:\Windows\Panther\actionqueue\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Panther\actionqueue\upfc.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\Panther\actionqueue\upfc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "89d45d766eb2694ff45cd58044964870_NeikiAnalytics8" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "89d45d766eb2694ff45cd58044964870_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "89d45d766eb2694ff45cd58044964870_NeikiAnalytics8" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\89d45d766eb2694ff45cd58044964870_NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre8\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre8\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\actionqueue\upfc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVcYKqbrtj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:8

C:\Windows\Panther\actionqueue\upfc.exe

"C:\Windows\Panther\actionqueue\upfc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 62.109.27.103:80 tcp
RU 62.109.27.103:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/5052-0-0x00007FFAFC2D3000-0x00007FFAFC2D5000-memory.dmp

memory/5052-1-0x0000000000EF0000-0x0000000001090000-memory.dmp

memory/5052-2-0x00007FFAFC2D0000-0x00007FFAFCD91000-memory.dmp

memory/5052-3-0x0000000003210000-0x000000000322C000-memory.dmp

memory/5052-4-0x000000001C320000-0x000000001C370000-memory.dmp

memory/5052-5-0x000000001C2D0000-0x000000001C2E6000-memory.dmp

memory/5052-6-0x000000001BCB0000-0x000000001BCC2000-memory.dmp

memory/5052-7-0x000000001C310000-0x000000001C320000-memory.dmp

memory/5052-8-0x000000001C2F0000-0x000000001C2FA000-memory.dmp

memory/5052-9-0x000000001C300000-0x000000001C30C000-memory.dmp

memory/5052-11-0x000000001C480000-0x000000001C488000-memory.dmp

memory/5052-12-0x000000001C490000-0x000000001C49C000-memory.dmp

memory/5052-10-0x000000001C470000-0x000000001C47C000-memory.dmp

memory/5052-14-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

memory/5052-13-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

C:\Windows\Panther\actionqueue\upfc.exe

MD5 89d45d766eb2694ff45cd58044964870
SHA1 d086a6a9d539e041dd96e8cb61d0404e15c68735
SHA256 22f7bf186d1354cb9d48a6731b32ed9f58490c856d883744e7c794e7c682c77d
SHA512 055eb1dbb68b5f7948f8b11a7c310f4aa9691f5668b62fd72522ac20ad58efa172aeadedc0766e709846660c2a18402175de91b0775f5ea4fe0167d9434287b0

C:\Users\Admin\AppData\Local\Temp\OVcYKqbrtj.bat

MD5 993becbe708c40424bc186b4441e75c6
SHA1 70a1173e563a0d82cfbd53efedc142cc8d21f2cd
SHA256 f00071c9904773c858f96a0ff33772def5015bec72cbac398609328bb4a85f96
SHA512 f52bd9254e8dfae94648ef7d9af49c4006cc85d7b02cf995bb37c131ccdd0d8c1d98ecca0368592a692a2b4d0c95596a9624f1fde619b118a100820a82410944

memory/5052-31-0x00007FFAFC2D0000-0x00007FFAFCD91000-memory.dmp

memory/4364-35-0x0000000003250000-0x0000000003262000-memory.dmp

memory/4364-37-0x000000001C730000-0x000000001C832000-memory.dmp