darkcomet | 4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Size

719KB
MD5

c1a3337afb27ed2646b79091729251f0
SHA1

88c7254022e28dba23685f6c31cda79eb133c7fe
SHA256

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f
SHA512

3cf3d3d02e214f91c336769070aabe35cced9e932c76f0ef50b41f9998d4b6b6b62f4c5bcff3cf5e2f31b5020d0656b9ea07e0c8a99d4be9e4bd173b0ed29929
SSDEEP

12288:eJ80FdJWXadx2rlbXgp7yTVwjPScS2MsfJ3ZFs2Rc:eJ8+MKd8dXfTuVSz8Vlc

Score

10^/10

darkcomet bloodyvictim evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

bloodyvictim

gehtdichnixan.no-ip.org:21

Mutex

DC_MUTEX-M48G38K

Attributes

InstallPath
Antivirus Smart.exe
gencode
uc6fEUW70PuU
install
true
offline_keylogger
true
persistence
false
reg_key
Antivir Update 7.0.3.9

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Antivirus Smart.exe"	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

Antivirus Smart.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Antivirus Smart.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Antivirus Smart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

4732 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

ANTIVIRUS.EXEAntivirus Smart.exeAntivirus Smart.exe

pid process

1108 ANTIVIRUS.EXE
1396 Antivirus Smart.exe
3864 Antivirus Smart.exe

pid	process
4732	notepad.exe

pid	process
1108	ANTIVIRUS.EXE
1396	Antivirus Smart.exe
3864	Antivirus Smart.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2532-1-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/2532-3-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/2532-4-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/2532-5-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/2532-6-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/2532-34-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-41-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-42-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-40-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-44-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-43-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-46-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-49-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-50-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-51-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-52-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-53-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-54-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-55-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-56-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-57-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-58-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-59-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-60-0x0000000000400000-0x00000000004DC000-memory.dmp	upx
behavioral2/memory/3864-61-0x0000000000400000-0x00000000004DC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivir Update 7.0.3.9 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Antivirus Smart.exe"	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exeAntivirus Smart.exe

description	pid	process	target process
PID 4484 set thread context of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 1396 set thread context of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exeAntivirus Smart.exe

pid	process
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe
1396	Antivirus Smart.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exeAntivirus Smart.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeSecurityPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeLoadDriverPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeSystemProfilePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeSystemtimePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeProfSingleProcessPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeCreatePagefilePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeBackupPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeRestorePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeShutdownPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeDebugPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeSystemEnvironmentPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeChangeNotifyPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeRemoteShutdownPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeUndockPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeManageVolumePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeImpersonatePrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: 33	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: 34	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: 35	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: 36	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
Token: SeIncreaseQuotaPrivilege	3864	Antivirus Smart.exe
Token: SeSecurityPrivilege	3864	Antivirus Smart.exe
Token: SeTakeOwnershipPrivilege	3864	Antivirus Smart.exe
Token: SeLoadDriverPrivilege	3864	Antivirus Smart.exe
Token: SeSystemProfilePrivilege	3864	Antivirus Smart.exe
Token: SeSystemtimePrivilege	3864	Antivirus Smart.exe
Token: SeProfSingleProcessPrivilege	3864	Antivirus Smart.exe
Token: SeIncBasePriorityPrivilege	3864	Antivirus Smart.exe
Token: SeCreatePagefilePrivilege	3864	Antivirus Smart.exe
Token: SeBackupPrivilege	3864	Antivirus Smart.exe
Token: SeRestorePrivilege	3864	Antivirus Smart.exe
Token: SeShutdownPrivilege	3864	Antivirus Smart.exe
Token: SeDebugPrivilege	3864	Antivirus Smart.exe
Token: SeSystemEnvironmentPrivilege	3864	Antivirus Smart.exe
Token: SeChangeNotifyPrivilege	3864	Antivirus Smart.exe
Token: SeRemoteShutdownPrivilege	3864	Antivirus Smart.exe
Token: SeUndockPrivilege	3864	Antivirus Smart.exe
Token: SeManageVolumePrivilege	3864	Antivirus Smart.exe
Token: SeImpersonatePrivilege	3864	Antivirus Smart.exe
Token: SeCreateGlobalPrivilege	3864	Antivirus Smart.exe
Token: 33	3864	Antivirus Smart.exe
Token: 34	3864	Antivirus Smart.exe
Token: 35	3864	Antivirus Smart.exe
Token: 36	3864	Antivirus Smart.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exeAntivirus Smart.exeAntivirus Smart.exe

pid process

4484 4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
1396 Antivirus Smart.exe
3864 Antivirus Smart.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exeAntivirus Smart.exe

description	pid	process	target process
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 4484 wrote to memory of 2532	4484	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
PID 2532 wrote to memory of 1108	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	ANTIVIRUS.EXE
PID 2532 wrote to memory of 1108	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	ANTIVIRUS.EXE
PID 2532 wrote to memory of 1108	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	ANTIVIRUS.EXE
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 4732	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	notepad.exe
PID 2532 wrote to memory of 1396	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	Antivirus Smart.exe
PID 2532 wrote to memory of 1396	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	Antivirus Smart.exe
PID 2532 wrote to memory of 1396	2532	4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe
PID 1396 wrote to memory of 3864	1396	Antivirus Smart.exe	Antivirus Smart.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Antivirus Smart.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	Antivirus Smart.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	Antivirus Smart.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	Antivirus Smart.exe

C:\Users\Admin\AppData\Local\Temp\4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f_NeikiAnalytics.exe
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\ANTIVIRUS.EXE
"C:\Users\Admin\AppData\Local\Temp\ANTIVIRUS.EXE"
3⤵
- Executes dropped EXE
PID:1108

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:4732

C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Smart.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Smart.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Smart.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Smart.exe"
4⤵
- Modifies security service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Antivirus Smart.exe
Filesize
719KB

MD5
c1a3337afb27ed2646b79091729251f0

SHA1
88c7254022e28dba23685f6c31cda79eb133c7fe

SHA256
4121f49259adce0401501e7afe372cb729b1870e655261540dcef4232b4dd07f

SHA512
3cf3d3d02e214f91c336769070aabe35cced9e932c76f0ef50b41f9998d4b6b6b62f4c5bcff3cf5e2f31b5020d0656b9ea07e0c8a99d4be9e4bd173b0ed29929

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANTIVIRUS.EXE
Filesize
135KB

MD5
1a466dcfc0c3a5c9ecc3201612db5d6f

SHA1
e09d7fadee425b417d18cb422a4af3855df0263b

SHA256
044e4366d0340747a3ea3b3e4edf0e37f4c61e6fd8b366fee12207e693e923ec

SHA512
a51bbdf80b9ced7c71ba34901b97eee1d5142d3c2037fc67ea1253415ec62d7339e859acb320a57b04a2ba90ff802ef3e82fee46ff192ceba810d1b447142cca

Download Submit
memory/1108-27-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-47-0x0000000072B3E000-0x0000000072B3F000-memory.dmp

Filesize
4KB

Download
memory/1108-48-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-25-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/1108-26-0x0000000005310000-0x0000000005366000-memory.dmp

Filesize
344KB

Download
memory/1108-20-0x0000000072B3E000-0x0000000072B3F000-memory.dmp

Filesize
4KB

Download
memory/1108-21-0x0000000000700000-0x000000000072A000-memory.dmp

Filesize
168KB

Download
memory/1108-22-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/1108-23-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/1108-24-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/2532-4-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2532-3-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2532-6-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2532-5-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2532-34-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2532-1-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-41-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-57-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-40-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-44-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-43-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-46-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-61-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-60-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-49-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-50-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-51-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-52-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-53-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-54-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-55-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-56-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-42-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-58-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/3864-59-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/4484-0-0x0000000000650000-0x0000000000654000-memory.dmp

Filesize
16KB

Download
memory/4732-28-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download