Analysis
-
max time kernel
128s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:11
Behavioral task
behavioral1
Sample
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
a5eb2e112e632a425a7dda05b86658c0
-
SHA1
097e969d55bd57a7095f0769a979121c01cc8a2f
-
SHA256
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2
-
SHA512
82149a2112d690209a076cfe1ea14e8901e3af10ee0f256f7f59e26fd37a7a1830cf60945a902b2e5e9d1b783779be4ac84e10bbd35162832f3eaf6376e3b09b
-
SSDEEP
12288:6gxqAqAVsc6zQ2Sms5TZFU2lAJqq+1KUL/QXmVjyr4ddDniHhU0uRtyLfaSVGArO:OMVsc6zk3ZFU2zDXbjhiBUI7TGAHh+j
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2472 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2132 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2132 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/756-1-0x0000000000870000-0x00000000009A2000-memory.dmp dcrat C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe dcrat behavioral1/memory/1120-23-0x00000000011C0000-0x00000000012F2000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
Idle.exepid process 1120 Idle.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription ioc process File created C:\Program Files\Mozilla Firefox\fonts\Idle.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files\Mozilla Firefox\fonts\6ccacd8608530f 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2652 schtasks.exe 2472 schtasks.exe 2740 schtasks.exe 3012 schtasks.exe 2568 schtasks.exe 2976 schtasks.exe 2752 schtasks.exe 2616 schtasks.exe 2680 schtasks.exe 2964 schtasks.exe 2668 schtasks.exe 2820 schtasks.exe 2448 schtasks.exe 2516 schtasks.exe 1720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exeIdle.exepid process 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe 1120 Idle.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Idle.exepid process 1120 Idle.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exeIdle.exedescription pid process Token: SeDebugPrivilege 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Token: SeDebugPrivilege 1120 Idle.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exedescription pid process target process PID 756 wrote to memory of 1120 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Idle.exe PID 756 wrote to memory of 1120 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Idle.exe PID 756 wrote to memory of 1120 756 434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files\Mozilla Firefox\fonts\Idle.exe"C:\Program Files\Mozilla Firefox\fonts\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exeFilesize
1.2MB
MD5a5eb2e112e632a425a7dda05b86658c0
SHA1097e969d55bd57a7095f0769a979121c01cc8a2f
SHA256434b6198a4fb2bb21b741b19df74188a0f8f0fdb9fb16de63d71277bfcffaab2
SHA51282149a2112d690209a076cfe1ea14e8901e3af10ee0f256f7f59e26fd37a7a1830cf60945a902b2e5e9d1b783779be4ac84e10bbd35162832f3eaf6376e3b09b
-
memory/756-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmpFilesize
4KB
-
memory/756-1-0x0000000000870000-0x00000000009A2000-memory.dmpFilesize
1.2MB
-
memory/756-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmpFilesize
9.9MB
-
memory/756-3-0x0000000000140000-0x000000000015C000-memory.dmpFilesize
112KB
-
memory/756-4-0x00000000002D0000-0x00000000002E6000-memory.dmpFilesize
88KB
-
memory/756-5-0x00000000002F0000-0x00000000002FC000-memory.dmpFilesize
48KB
-
memory/756-22-0x000007FEF5A50000-0x000007FEF643C000-memory.dmpFilesize
9.9MB
-
memory/1120-23-0x00000000011C0000-0x00000000012F2000-memory.dmpFilesize
1.2MB