dcrat | 66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 04:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Size

1.2MB
MD5

bef8285cfd7940f27ae2cd23329bc3b0
SHA1

25550fa2bd7e20689f695c2dedf44b91a78136e5
SHA256

66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311
SHA512

71bfec2fee44137dd9eba41c922aa39e9f99ab0f46a1a40cfd15a73545f7e7b38ba38b19957ed3ddb07e9781691df88e79dc28a76b757c657a836715243698d8
SSDEEP

24576:5XPG6SZOZ2WlG4n8ndcEaNghwoW6s0NYgUuYjdkUl8:5XPGs2OGzntaUwoW6XNpUfO

Score

10^/10

dcrat infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat 36 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
5056	schtasks.exe
1960	schtasks.exe
3160	schtasks.exe
868	schtasks.exe
4908	schtasks.exe
4784	schtasks.exe
2584	schtasks.exe
1040	schtasks.exe
2772	schtasks.exe
396	schtasks.exe
3036	schtasks.exe
4952	schtasks.exe
3632	schtasks.exe
4056	schtasks.exe
2588	schtasks.exe
2244	schtasks.exe
3136	schtasks.exe
764	schtasks.exe
1224	schtasks.exe
4280	schtasks.exe
3804	schtasks.exe
1984	schtasks.exe
4452	schtasks.exe
1460	schtasks.exe
4164	schtasks.exe
4560	schtasks.exe
3844	schtasks.exe
4364	schtasks.exe
1112	schtasks.exe
4828	schtasks.exe
1212	schtasks.exe
3224	schtasks.exe
4104	schtasks.exe
1856	schtasks.exe
4696	schtasks.exe
4044	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\", \"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\it-IT\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\", \"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\it-IT\\wininit.exe\", \"C:\\Users\\All Users\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\", \"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\it-IT\\wininit.exe\", \"C:\\Users\\All Users\\msedge.exe\", \"C:\\Users\\Default\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\", \"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\", \"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\", \"C:\\Windows\\PrintDialog\\Assets\\services.exe\", \"C:\\odt\\MusNotification.exe\", \"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\", \"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\", \"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1036	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1036	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/412-1-0x00000000005B0000-0x00000000006EE000-memory.dmp	dcrat
behavioral2/files/0x000700000002324f-16.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PrintDialog\\Assets\\services.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\odt\\MusNotification.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics = "\"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Common Files\\System\\it-IT\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics = "\"C:\\Users\\Default\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\odt\\MusNotification.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics = "\"C:\\Users\\Default\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\dotnet\\swidtag\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\All Users\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Windows\\DigitalLocker\\en-US\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PrintDialog\\Assets\\services.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\INF\\.NET CLR Networking\\040C\\winlogon.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics = "\"C:\\Recovery\\WindowsRE\\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Common Files\\System\\it-IT\\wininit.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\All Users\\msedge.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\it-IT\wininit.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\56085415360792	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\wininit.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Internet Explorer\56085415360792	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\swidtag\msedge.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Program Files\dotnet\swidtag\61a52ddc9dd915	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\Assets\c5b4cb5e9653cc	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Windows\INF\.NET CLR Networking\040C\winlogon.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Windows\INF\.NET CLR Networking\040C\cc11b995f2a76d	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Windows\DigitalLocker\en-US\msedge.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Windows\DigitalLocker\en-US\61a52ddc9dd915	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
File created	C:\Windows\PrintDialog\Assets\services.exe	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3160	schtasks.exe
396	schtasks.exe
4164	schtasks.exe
4908	schtasks.exe
3136	schtasks.exe
3632	schtasks.exe
4828	schtasks.exe
1960	schtasks.exe
2772	schtasks.exe
4452	schtasks.exe
764	schtasks.exe
2588	schtasks.exe
1212	schtasks.exe
1460	schtasks.exe
3804	schtasks.exe
4696	schtasks.exe
5056	schtasks.exe
868	schtasks.exe
1984	schtasks.exe
4784	schtasks.exe
1040	schtasks.exe
4952	schtasks.exe
3224	schtasks.exe
4104	schtasks.exe
4560	schtasks.exe
2584	schtasks.exe
4280	schtasks.exe
1112	schtasks.exe
1224	schtasks.exe
2244	schtasks.exe
1856	schtasks.exe
4364	schtasks.exe
4056	schtasks.exe
4044	schtasks.exe
3036	schtasks.exe
3844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
Token: SeDebugPrivilege	2956	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3104	412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe	127
PID 412 wrote to memory of 3104	412	66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe	127
PID 3104 wrote to memory of 1624	3104	cmd.exe	129
PID 3104 wrote to memory of 1624	3104	cmd.exe	129
PID 3104 wrote to memory of 2956	3104	cmd.exe	130
PID 3104 wrote to memory of 2956	3104	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BgXRhsq7Jr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1624
- - C:\Recovery\WindowsRE\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe
    "C:\Recovery\WindowsRE\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\odt\MusNotification.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\odt\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\odt\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\.NET CLR Networking\040C\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Networking\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\.NET CLR Networking\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics6" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics6" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\it-IT\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics6" /sc MINUTE /mo 14 /tr "'C:\Users\Default\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Default\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics6" /sc MINUTE /mo 9 /tr "'C:\Users\Default\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311_NeikiAnalytics.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BgXRhsq7Jr.bat

Filesize
270B

MD5
6573f5a8526957c38d68be82c1672433

SHA1
938a0fd7e4e40b183f362384cf12ff348e6373a3

SHA256
cd24cb0bb8b99c1df11b17613e566bde78aac89e985632fda30181a43fb9985b

SHA512
42999b700ea5049726f7d0a3566dbc1f2bff6391b5b38eb3de3c6ab24cb96ac936dc1e05fe677219f8d00685b5a1c05fbd3b0210ce8a0bff43c068d599441ff4

Download Submit
C:\odt\MusNotification.exe

Filesize
1.2MB

MD5
bef8285cfd7940f27ae2cd23329bc3b0

SHA1
25550fa2bd7e20689f695c2dedf44b91a78136e5

SHA256
66adff449794719027ce154809c64d1e6d2850a0cefd527ba959fdc1e2156311

SHA512
71bfec2fee44137dd9eba41c922aa39e9f99ab0f46a1a40cfd15a73545f7e7b38ba38b19957ed3ddb07e9781691df88e79dc28a76b757c657a836715243698d8

Download Submit
memory/412-3-0x0000000002A30000-0x0000000002A4C000-memory.dmp

Filesize
112KB

Download
memory/412-4-0x000000001B370000-0x000000001B3C0000-memory.dmp

Filesize
320KB

Download
memory/412-5-0x0000000002A50000-0x0000000002A66000-memory.dmp

Filesize
88KB

Download
memory/412-6-0x00000000028B0000-0x00000000028C2000-memory.dmp

Filesize
72KB

Download
memory/412-7-0x000000001BFB0000-0x000000001C4D8000-memory.dmp

Filesize
5.2MB

Download
memory/412-0-0x00007FFC4E983000-0x00007FFC4E985000-memory.dmp

Filesize
8KB

Download
memory/412-2-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

Filesize
10.8MB

Download
memory/412-38-0x00007FFC4E980000-0x00007FFC4F441000-memory.dmp

Filesize
10.8MB

Download
memory/412-1-0x00000000005B0000-0x00000000006EE000-memory.dmp

Filesize
1.2MB

Download
memory/2956-43-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download