Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
071fe5a38335e876bb295ab2f007eb50_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
071fe5a38335e876bb295ab2f007eb50_NeikiAnalytics.dll
Resource
win10v2004-20240508-en
General
-
Target
071fe5a38335e876bb295ab2f007eb50_NeikiAnalytics.dll
-
Size
5.0MB
-
MD5
071fe5a38335e876bb295ab2f007eb50
-
SHA1
a3f943f4506d2447cc9cd7d8d88f101e76a922f8
-
SHA256
fd5ab701cb78cfde475a5265ccc2019eb6cf107e9728934bf546ded031f3facd
-
SHA512
1ff969e135aa19bd8e5a6e3f428cc9ef5e029f9d3eff306db2db8b410fe7f74176812f19426cc67f3c4c50aeaddaad8aade52bdc5e0375a7ae8b8f93ebaf11b0
-
SSDEEP
49152:pnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:9DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mssecsvc.exepid process 2516 mssecsvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 688 2516 WerFault.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4356 wrote to memory of 3508 4356 rundll32.exe rundll32.exe PID 4356 wrote to memory of 3508 4356 rundll32.exe rundll32.exe PID 4356 wrote to memory of 3508 4356 rundll32.exe rundll32.exe PID 3508 wrote to memory of 2516 3508 rundll32.exe mssecsvc.exe PID 3508 wrote to memory of 2516 3508 rundll32.exe mssecsvc.exe PID 3508 wrote to memory of 2516 3508 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\071fe5a38335e876bb295ab2f007eb50_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\071fe5a38335e876bb295ab2f007eb50_NeikiAnalytics.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 2724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2516 -ip 25161⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55ff5116e856c6a3f16f562c4dbd890d7
SHA17064ff9cf384d4555b2e69a8137b5075c9b774c3
SHA2564a6ba74b0c0db6f07800bfad1c9ad28891909c991935c2d98287057569712054
SHA512d4e9813fa0438a7247080736acd63b6b5292fbecec2ada2b595a2f2700955d9f77b61927893895f55710731df7f12d83443b23df07f86cf8c5481d8fde4cad43
-
memory/2516-4-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB
-
memory/2516-5-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB