04b00f64881e841e5d020b3f34853cb08db06d48fb0d06b927912a7372837193

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll
Size

304KB
MD5

0b1026a72a44af785f1fdf60d876d440
SHA1

ace04fb4983400217d2d9882e5649e40a73f78aa
SHA256

04b00f64881e841e5d020b3f34853cb08db06d48fb0d06b927912a7372837193
SHA512

d79ad3bf0645568df75b3d0238d9a0dcbc2493060d0cb9fb45f9730a8102a9ab4d03c6d186d7b9d4fc53cbac9314d54dafdc1db930bad5a71d0af38fcdc92ec5
SSDEEP

6144:bXY1Ku5iEM7Wm3rRVgEvcDAwyJupD74ztWFqA95gOdX+umC:uKxXfRV0AwysZFZ5pX

Score

1^/10

Malware Config

Signatures

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\TypeLib\ = "{859D8CF5-7ADE-4DAB-8F7D-AF171643B934}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{859D8CF5-7ADE-4DAB-8F7D-AF171643B934}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\TypeLib\ = "{859D8CF5-7ADE-4DAB-8F7D-AF171643B934}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Name.NameCtrl\CLSID\ = "{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\ = "NameCtrl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\ProgID\ = "Name.NameCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\VersionIndependentProgID\ = "Name.NameCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Name.NameCtrl.1\ = "NameCtrl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Name.NameCtrl\CurVer\ = "Name.NameCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{859D8CF5-7ADE-4DAB-8F7D-AF171643B934}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{859D8CF5-7ADE-4DAB-8F7D-AF171643B934}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\ = "INameCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F99A3726-0F92-4504-903C-43D7EF38307D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Name.NameCtrl.1\CLSID\ = "{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Name.NameCtrl\ = "NameCtrl Class"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29
PID 2108 wrote to memory of 2096	2108	regsvr32.exe	29

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\0b1026a72a44af785f1fdf60d876d440_NeikiAnalytics.dll
  2⤵
  - Modifies registry class
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\15E1.tmp
    C:\Users\Admin\AppData\Local\Temp\15E1.tmp
    3⤵
    PID:1800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2096-0-0x00000000001A0000-0x00000000001DA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads