Analysis Overview
SHA256
2c29e92bc8fe517a2f687eb0ac03bf711b74414cfa41998fb6d0b1f65929bca8
Threat Level: Known bad
The file 8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Grants admin privileges
Modifies Windows Firewall
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious use of AdjustPrivilegeToken
Collects information from the system
Gathers system information
Enumerates processes with tasklist
Runs net.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 04:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 04:27
Reported
2024-06-01 04:30
Platform
win7-20240221-en
Max time kernel
118s
Max time network
151s
Command Line
Signatures
AsyncRat
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ertdtayhlv = "C:\\Users\\Admin\\AppData\\Roaming\\Ertdtayhlv.exe" | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2980 set thread context of 2664 | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\HOSTNAME.EXE
hostname
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net localgroup administrators
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user guest
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user administrator
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /svc
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ROUTE.EXE
route print
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ARP.EXE
arp -a
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\sc.exe
sc query type=service state=all
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall show state
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall show config
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net wlan show interfaces
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 wlan show interfaces
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic product get name
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Documents\Tencent Files"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Documents\WeChat Files"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Desktop" /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tree.com
tree /F
Network
| Country | Destination | Domain | Proto |
| SG | 149.28.150.93:3299 | tcp | |
| SG | 149.28.150.93:3299 | tcp | |
| SG | 149.28.150.93:3299 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| BE | 2.17.107.81:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | ipconfig.co | udp |
| US | 172.67.148.109:443 | ipconfig.co | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
Files
memory/2980-30-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-28-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-26-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-24-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-22-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-20-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-18-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-16-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-15-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-12-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-10-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-8-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-6-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-5-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-4-0x0000000007AF0000-0x0000000007D14000-memory.dmp
memory/2980-3-0x0000000005320000-0x0000000005760000-memory.dmp
memory/2980-2-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2980-1-0x0000000000D60000-0x0000000001012000-memory.dmp
memory/2980-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2980-32-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-34-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-36-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-38-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-40-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-42-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-46-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-44-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-48-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-50-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-52-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-54-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-56-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-58-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-60-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-62-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-64-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-68-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-66-0x0000000007AF0000-0x0000000007D0E000-memory.dmp
memory/2980-4886-0x0000000004870000-0x00000000048BC000-memory.dmp
memory/2980-4885-0x0000000000CE0000-0x0000000000D3E000-memory.dmp
memory/2980-4887-0x0000000004C60000-0x0000000004CB4000-memory.dmp
memory/2980-4900-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2664-4905-0x0000000000400000-0x0000000000416000-memory.dmp
memory/2664-4906-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2664-4907-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2664-4909-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2664-4926-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2664-4927-0x0000000000A00000-0x0000000000A0E000-memory.dmp
memory/2664-4928-0x0000000000A10000-0x0000000000A1E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar1720.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e4c936860848bfcb1679fe1a43caca0 |
| SHA1 | 4e4c93739426b07dce22abad15ab6bfa3cf15faa |
| SHA256 | 69586f07ae82b2813dbc912661021c13faf80a42c7f631d83c9ea6c80027747b |
| SHA512 | 23f8698f6fa23c2be49a8ad0fb24269745252de5f15a1e0d494d381d2e950e36cb3ece8f23cd5abdc90ec3046bb209f49750747ec8e4fcc9ab8b1f37c87825b8 |
memory/2664-4969-0x0000000074B20000-0x000000007520E000-memory.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 04:27
Reported
2024-06-01 04:30
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
152s
Command Line
Signatures
AsyncRat
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ertdtayhlv = "C:\\Users\\Admin\\AppData\\Roaming\\Ertdtayhlv.exe" | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4020 set thread context of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\systeminfo.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d7e75a6cff8af7fceb924ec1efc4260_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\systeminfo.exe
systeminfo
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\HOSTNAME.EXE
hostname
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net localgroup administrators
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user guest
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net user administrator
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist /svc
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ROUTE.EXE
route print
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\ARP.EXE
arp -a
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\sc.exe
sc query type=service state=all
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall show state
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall show config
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\net.exe
net wlan show interfaces
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 wlan show interfaces
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profiles
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic product get name
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Documents\Tencent Files"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Documents\WeChat Files"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tree.com
tree "C:\Users\Admin\Desktop" /F
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\tree.com
tree /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| SG | 149.28.150.93:62940 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 93.150.28.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| SG | 149.28.150.93:62940 | tcp | |
| SG | 149.28.150.93:62940 | tcp | |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipconfig.co | udp |
| US | 172.67.148.109:443 | ipconfig.co | tcp |
| US | 8.8.8.8:53 | 109.148.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4020-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/4020-1-0x0000000000F40000-0x00000000011F2000-memory.dmp
memory/4020-2-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4020-3-0x00000000063C0000-0x0000000006800000-memory.dmp
memory/4020-4-0x0000000007930000-0x0000000007B54000-memory.dmp
memory/4020-5-0x0000000008100000-0x00000000086A4000-memory.dmp
memory/4020-6-0x0000000007BF0000-0x0000000007C82000-memory.dmp
memory/4020-16-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-7-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-19-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-28-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-40-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-48-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-54-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-52-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-50-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-47-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-42-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-38-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-36-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-34-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-32-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-44-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-30-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-26-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-24-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-22-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-20-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-14-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-12-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-10-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-8-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-68-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-60-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-56-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-70-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-66-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-64-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-62-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-58-0x0000000007930000-0x0000000007B4E000-memory.dmp
memory/4020-4887-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4020-4889-0x0000000006120000-0x000000000616C000-memory.dmp
memory/4020-4888-0x00000000060C0000-0x000000000611E000-memory.dmp
memory/4020-4890-0x0000000007D10000-0x0000000007D64000-memory.dmp
memory/1552-4894-0x0000000000400000-0x0000000000416000-memory.dmp
memory/1552-4895-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/4020-4896-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1552-4897-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1552-4898-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1552-4901-0x00000000061D0000-0x000000000626C000-memory.dmp
memory/1552-4902-0x00000000062E0000-0x0000000006346000-memory.dmp
memory/1552-4903-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1552-4904-0x0000000007150000-0x00000000071C6000-memory.dmp
memory/1552-4905-0x00000000062B0000-0x00000000062BE000-memory.dmp
memory/1552-4906-0x00000000071D0000-0x00000000071EE000-memory.dmp
memory/1552-4907-0x0000000007710000-0x000000000771E000-memory.dmp
memory/1552-4908-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1552-4909-0x0000000074920000-0x00000000750D0000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |