Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll
Resource
win7-20240220-en
windows7-x64
2 signatures
150 seconds
General
-
Target
04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll
-
Size
617KB
-
MD5
04a79de582cc7c99d7cbf2678021c150
-
SHA1
093ceba0a2ea5939b9deb5a0868778275497d092
-
SHA256
9f19cb96e25fd5eec8205571ef36254238216720e2f40858cd2c196fa7abb0db
-
SHA512
26d32966152a4276ede86b9c8422038ea419fb68d8ca46c7f86e0f733877331c56a0cecdf55f8436150c2ff3d33d6b38cfde1e2974ec0d3c508c3c98a555a2cf
-
SSDEEP
6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYV:o6RI1Fo/wT3cJYYYYYYYYYYYYV
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2348 wrote to memory of 5116 2348 rundll32.exe 81 PID 2348 wrote to memory of 5116 2348 rundll32.exe 81 PID 2348 wrote to memory of 5116 2348 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\04a79de582cc7c99d7cbf2678021c150_NeikiAnalytics.dll,#12⤵PID:5116
-
Network
-
GEThttps://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90Remote address:23.62.61.139:443RequestGET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Mon, 13 May 2024 19:14:46 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.873d3e17.1715627686.3909320
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.197.17.2.in-addr.arpaIN PTRResponse240.197.17.2.in-addr.arpaIN PTRa2-17-197-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request139.61.62.23.in-addr.arpaIN PTRResponse139.61.62.23.in-addr.arpaIN PTRa23-62-61-139deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.121.18.2.in-addr.arpaIN PTRResponse21.121.18.2.in-addr.arpaIN PTRa2-18-121-21deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request249.197.17.2.in-addr.arpaIN PTRResponse249.197.17.2.in-addr.arpaIN PTRa2-17-197-249deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTR
-
23.62.61.139:443https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90tls, http21.5kB 6.3kB 17 11
HTTP Request
GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
240.197.17.2.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
43.58.199.20.in-addr.arpa
DNS Request
43.58.199.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
139.61.62.23.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
21.121.18.2.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
249.197.17.2.in-addr.arpa
-
216 B 158 B 3 1
DNS Request
29.243.111.52.in-addr.arpa
DNS Request
29.243.111.52.in-addr.arpa
DNS Request
29.243.111.52.in-addr.arpa