Malware Analysis Report

2024-10-10 13:01

Sample ID 240619-f5kbmavcnc
Target 909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe
SHA256 985d31adae8c3af59d71b7343536b91d47324f9d3cf4fe9054cd7de7d91eae90
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

985d31adae8c3af59d71b7343536b91d47324f9d3cf4fe9054cd7de7d91eae90

Threat Level: Known bad

The file 909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Dcrat family

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:27

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:27

Reported

2024-06-19 05:29

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PortfontSessionCrt\Surrogatewinhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortfontSessionCrt\Surrogatewinhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 2352 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe C:\Windows\SysWOW64\WScript.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\PortfontSessionCrt\Surrogatewinhost.exe
PID 2728 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\PortfontSessionCrt\Surrogatewinhost.exe
PID 2728 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\PortfontSessionCrt\Surrogatewinhost.exe
PID 2728 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\PortfontSessionCrt\Surrogatewinhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortfontSessionCrt\8EimBGshDc6J9RnLYcI.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\PortfontSessionCrt\1o3Lgu6edBBBHy.bat" "

C:\PortfontSessionCrt\Surrogatewinhost.exe

"C:\PortfontSessionCrt\Surrogatewinhost.exe"

Network

N/A

Files

C:\PortfontSessionCrt\8EimBGshDc6J9RnLYcI.vbe

MD5 ff12191443a5c24cd2cd426321c5306d
SHA1 5e65df7add3bb1e273c5527e2691c1b7b16f1060
SHA256 404d70a0fbbe25680764225f7d6ad083ef87eb3a135987a060f3e7aada4f6eb2
SHA512 c843358049c87ee4fdc1e24cb8f5085f6810db7463028988aa3d0f3c6755d5eb5ca4572db31cf0c1a7197c38ccecee867675df4e76208730cd81ae58f1e36798

C:\PortfontSessionCrt\1o3Lgu6edBBBHy.bat

MD5 dfcbe6140d35d356b04b454431be6d9f
SHA1 d80f2f7944c5ed82afd54e2f9e356b60e6cfaa8e
SHA256 9a2eb82093c048af59fd0279b8551614181062bf8109ae8ac58f323b3c80c046
SHA512 5e0e46d5c0139e92a995f8ac43f956bbc36f0a31ff7ccda9fc2a3111f4ee0399efd734e00d00b43a224f5da9b1019ef5f0443491f3dbbf5ae0fd0fde67b0789d

\PortfontSessionCrt\Surrogatewinhost.exe

MD5 e58586f96025b122cead1c0c9e1749a5
SHA1 4070312deed3538d7c7ce50ebb2b3958eeb79014
SHA256 fb01f3762b6fbae5bd2fb2b242c6f086e99c187f38091e998fd1d2c8927e2429
SHA512 35f60abb82cc38b61ce4034d2e2499e09a075a34cc0fa8629e871ab6864d25e9a7b1cca725a799e7964fe5c07a46ecf718f91dfc7303d39367cde72ad99efb51

memory/2760-13-0x0000000001270000-0x000000000139A000-memory.dmp

memory/2760-14-0x0000000000340000-0x000000000034E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:27

Reported

2024-06-19 05:29

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe"

Signatures

DcRat

rat infostealer dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PortfontSessionCrt\Surrogatewinhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortfontSessionCrt\Surrogatewinhost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\909c2ac7287a86ee99b3e3fa8e507a30_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortfontSessionCrt\8EimBGshDc6J9RnLYcI.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\PortfontSessionCrt\1o3Lgu6edBBBHy.bat" "

C:\PortfontSessionCrt\Surrogatewinhost.exe

"C:\PortfontSessionCrt\Surrogatewinhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\PortfontSessionCrt\8EimBGshDc6J9RnLYcI.vbe

MD5 ff12191443a5c24cd2cd426321c5306d
SHA1 5e65df7add3bb1e273c5527e2691c1b7b16f1060
SHA256 404d70a0fbbe25680764225f7d6ad083ef87eb3a135987a060f3e7aada4f6eb2
SHA512 c843358049c87ee4fdc1e24cb8f5085f6810db7463028988aa3d0f3c6755d5eb5ca4572db31cf0c1a7197c38ccecee867675df4e76208730cd81ae58f1e36798

C:\PortfontSessionCrt\1o3Lgu6edBBBHy.bat

MD5 dfcbe6140d35d356b04b454431be6d9f
SHA1 d80f2f7944c5ed82afd54e2f9e356b60e6cfaa8e
SHA256 9a2eb82093c048af59fd0279b8551614181062bf8109ae8ac58f323b3c80c046
SHA512 5e0e46d5c0139e92a995f8ac43f956bbc36f0a31ff7ccda9fc2a3111f4ee0399efd734e00d00b43a224f5da9b1019ef5f0443491f3dbbf5ae0fd0fde67b0789d

C:\PortfontSessionCrt\Surrogatewinhost.exe

MD5 e58586f96025b122cead1c0c9e1749a5
SHA1 4070312deed3538d7c7ce50ebb2b3958eeb79014
SHA256 fb01f3762b6fbae5bd2fb2b242c6f086e99c187f38091e998fd1d2c8927e2429
SHA512 35f60abb82cc38b61ce4034d2e2499e09a075a34cc0fa8629e871ab6864d25e9a7b1cca725a799e7964fe5c07a46ecf718f91dfc7303d39367cde72ad99efb51

memory/4420-12-0x00007FFB82EA3000-0x00007FFB82EA5000-memory.dmp

memory/4420-13-0x0000000000E70000-0x0000000000F9A000-memory.dmp

memory/4420-14-0x00000000031B0000-0x00000000031BE000-memory.dmp