Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 23:17
Behavioral task
behavioral1
Sample
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe
-
Size
1.0MB
-
MD5
527496f64e5df0e8c2c0fc3dd26842d0
-
SHA1
91632db63b9dbeba3ee61ea02168fef4e856606d
-
SHA256
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400
-
SHA512
c21c7c057c9a6a5d5222fe9125da4a880a80b1b180f316e2cb4a042a6dd16486c830533e7c81ab0ef8af4c2f784516d271c414b9b80558569cc6c7094a0b1eef
-
SSDEEP
12288:fubxAa9sUFxZ8oq7URPvyKBozWeL+vSgmtjJcDVrCTZSXlVB0mGEB0aNN/cPUeWl:A9sUFxZq7URPt6RL6nBrEZUjGE/L8YZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 5 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 404 216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 216 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 216 schtasks.exe -
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral2/memory/540-1-0x0000000000590000-0x00000000006A2000-memory.dmp dcrat -
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process File created C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\taskhostw.exe 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe File created C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\ea9f0e6c9e2dcd 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 404 schtasks.exe 4932 schtasks.exe 3036 schtasks.exe 3076 schtasks.exe 3176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exepid process 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 540 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6f74083d8fdf9cafb689ea9b31fa663dc35aec6224d7790f9dca94e5ec76a400_NeikiAnalytics.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.SettingsAppThreshold\SystemSettings\Assets\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-0-0x00007FFD3E633000-0x00007FFD3E635000-memory.dmpFilesize
8KB
-
memory/540-1-0x0000000000590000-0x00000000006A2000-memory.dmpFilesize
1.1MB
-
memory/540-2-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmpFilesize
10.8MB
-
memory/540-4-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/540-3-0x00000000027B0000-0x00000000027B8000-memory.dmpFilesize
32KB
-
memory/540-5-0x00000000028E0000-0x00000000028EA000-memory.dmpFilesize
40KB
-
memory/540-6-0x00000000028F0000-0x00000000028FC000-memory.dmpFilesize
48KB
-
memory/540-7-0x0000000002900000-0x000000000290C000-memory.dmpFilesize
48KB
-
memory/540-10-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmpFilesize
10.8MB
-
memory/540-13-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmpFilesize
10.8MB