Malware Analysis Report

2024-10-10 12:52

Sample ID 240601-ktnl5afh6x
Target 9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe
SHA256 0b345e5ae8de37b8d22088f8360badaeb389711706b1362bc96c599ed8f00489
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b345e5ae8de37b8d22088f8360badaeb389711706b1362bc96c599ed8f00489

Threat Level: Known bad

The file 9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

DCRat payload

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:53

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:53

Reported

2024-06-01 08:56

Platform

win7-20231129-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\df61633814aa7f C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\bin\csrss.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre7\bin\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics9" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Program Files\Java\jre7\bin\csrss.exe

"C:\Program Files\Java\jre7\bin\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 primary-door.000webhostapp.com udp
US 145.14.144.236:80 primary-door.000webhostapp.com tcp
US 145.14.144.236:80 primary-door.000webhostapp.com tcp
US 145.14.144.236:80 primary-door.000webhostapp.com tcp
US 8.8.8.8:53 primary-door.000webhostapp.com udp
US 145.14.144.82:80 primary-door.000webhostapp.com tcp

Files

memory/2548-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

memory/2548-1-0x0000000000F20000-0x0000000000FF6000-memory.dmp

memory/2548-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

C:\Program Files\Java\jre7\bin\csrss.exe

MD5 9538e582aa5407d8a4e30ac240e4e830
SHA1 f515fd4c6c6d93b2e8aa1714b9fd95bcd65405e5
SHA256 0b345e5ae8de37b8d22088f8360badaeb389711706b1362bc96c599ed8f00489
SHA512 21dcb7d928805ea64af9c553d74bb6ab0d3fb53e843ee004bce699dde3a09493d428d0c0fc1738ea5c61576f89c813722e016dc35ce0473646f0e924944373bb

memory/2548-22-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

memory/2824-21-0x0000000000A10000-0x0000000000AE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:53

Reported

2024-06-01 08:56

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files\VideoLAN\Idle.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Mail\services.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\df61633814aa7f C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\lsass.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Windows\Vss\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Windows\ImmersiveControlPanel\es-ES\csrss.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Windows\System\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Windows\System\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
File created C:\Windows\WaaS\tasks\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Downloads\TextInputHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Downloads\TextInputHost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics9" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre-1.8\legal\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\legal\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre-1.8\legal\9538e582aa5407d8a4e30ac240e4e830NeikiAnalytics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Windows\System\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\System\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Windows\System\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Users\Public\Downloads\TextInputHost.exe

"C:\Users\Public\Downloads\TextInputHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 primary-door.000webhostapp.com udp
US 145.14.144.90:80 primary-door.000webhostapp.com tcp
US 145.14.144.90:80 primary-door.000webhostapp.com tcp
US 8.8.8.8:53 90.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 145.14.144.90:80 primary-door.000webhostapp.com tcp
US 8.8.8.8:53 primary-door.000webhostapp.com udp
US 145.14.144.82:80 primary-door.000webhostapp.com tcp

Files

memory/1992-0-0x00007FFD9E693000-0x00007FFD9E695000-memory.dmp

memory/1992-1-0x0000000000D80000-0x0000000000E56000-memory.dmp

memory/1992-4-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp

C:\Users\Public\AccountPictures\dllhost.exe

MD5 9538e582aa5407d8a4e30ac240e4e830
SHA1 f515fd4c6c6d93b2e8aa1714b9fd95bcd65405e5
SHA256 0b345e5ae8de37b8d22088f8360badaeb389711706b1362bc96c599ed8f00489
SHA512 21dcb7d928805ea64af9c553d74bb6ab0d3fb53e843ee004bce699dde3a09493d428d0c0fc1738ea5c61576f89c813722e016dc35ce0473646f0e924944373bb

memory/1992-40-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp