Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 04:35
Static task
static1
Behavioral task
behavioral1
Sample
8dd40365e845f07a0b429e634a4090c0_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
8dd40365e845f07a0b429e634a4090c0_NeikiAnalytics.dll
-
Size
896KB
-
MD5
8dd40365e845f07a0b429e634a4090c0
-
SHA1
9687bf0672114bf599cfb01e76cf88aa9c80a8e1
-
SHA256
5afb1c3c0f4be11c4901a5654cace6795baf1cee126a154ebdd1d5729a6ee33e
-
SHA512
0ac6c8b04acf4023b85aebd7018336904c6fbf93d565d60c21a3aee32d56a55b4f693eda3df0643cb2301ef5b08b4a92639a8a1a5831dfc40d6261889051e6de
-
SSDEEP
12288:dGVNJAvuPFUl/faxGVlBLXKCgFfEK7JRLeHlX//ve7:g3JAvRl/fKwKCgFfx4P/va
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3456-5-0x0000000002830000-0x0000000002831000-memory.dmp dridex_stager_shellcode -
Drops startup file 3 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PV2 File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PV2\DUI70.dll File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PV2\phoneactivate.exe -
Executes dropped EXE 3 IoCs
Processes:
PasswordOnWakeSettingFlyout.exeisoburn.exephoneactivate.exepid process 440 PasswordOnWakeSettingFlyout.exe 1520 isoburn.exe 3836 phoneactivate.exe -
Loads dropped DLL 3 IoCs
Processes:
PasswordOnWakeSettingFlyout.exeisoburn.exephoneactivate.exepid process 440 PasswordOnWakeSettingFlyout.exe 1520 isoburn.exe 3836 phoneactivate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ovnmkkvrgnxhq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\cpNT1Z\\isoburn.exe" -
Processes:
PasswordOnWakeSettingFlyout.exeisoburn.exephoneactivate.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PasswordOnWakeSettingFlyout.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA isoburn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA phoneactivate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 1448 rundll32.exe 1448 rundll32.exe 1448 rundll32.exe 1448 rundll32.exe 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 3456 -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
Processes:
rundll32.exePasswordOnWakeSettingFlyout.exeisoburn.exephoneactivate.exepid process 1448 rundll32.exe 3456 440 PasswordOnWakeSettingFlyout.exe 1520 isoburn.exe 3836 phoneactivate.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3456 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
description pid process target process PID 3456 wrote to memory of 2248 3456 PasswordOnWakeSettingFlyout.exe PID 3456 wrote to memory of 2248 3456 PasswordOnWakeSettingFlyout.exe PID 3456 wrote to memory of 440 3456 PasswordOnWakeSettingFlyout.exe PID 3456 wrote to memory of 440 3456 PasswordOnWakeSettingFlyout.exe PID 3456 wrote to memory of 4512 3456 isoburn.exe PID 3456 wrote to memory of 4512 3456 isoburn.exe PID 3456 wrote to memory of 1520 3456 isoburn.exe PID 3456 wrote to memory of 1520 3456 isoburn.exe PID 3456 wrote to memory of 1328 3456 phoneactivate.exe PID 3456 wrote to memory of 1328 3456 phoneactivate.exe PID 3456 wrote to memory of 3836 3456 phoneactivate.exe PID 3456 wrote to memory of 3836 3456 phoneactivate.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd40365e845f07a0b429e634a4090c0_NeikiAnalytics.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1448
-
C:\Windows\system32\PasswordOnWakeSettingFlyout.exeC:\Windows\system32\PasswordOnWakeSettingFlyout.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Local\MNwZ\PasswordOnWakeSettingFlyout.exeC:\Users\Admin\AppData\Local\MNwZ\PasswordOnWakeSettingFlyout.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:440
-
C:\Windows\system32\isoburn.exeC:\Windows\system32\isoburn.exe1⤵PID:4512
-
C:\Users\Admin\AppData\Local\STnIjn\isoburn.exeC:\Users\Admin\AppData\Local\STnIjn\isoburn.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1520
-
C:\Windows\system32\phoneactivate.exeC:\Windows\system32\phoneactivate.exe1⤵PID:1328
-
C:\Users\Admin\AppData\Local\IHuc1\phoneactivate.exeC:\Users\Admin\AppData\Local\IHuc1\phoneactivate.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\IHuc1\DUI70.dllFilesize
1.1MB
MD5d84cc90c26a9182f578d9177ed71ea51
SHA1ff5a4bda5bf4f2e36cb4d1867cfc3bc090c7a301
SHA2563af604ab59f54691b788f8990edecfec26f0e814359e749d37694f547e1bd168
SHA5125107583b8401a7c32c38e60b1fd828aaa750159fafb8b9595126ec5bef3fc6e9c5a6b1a2aa02783f68b67202122cc5ee0a59ad33cebe6e72a404ff6c560351d0
-
C:\Users\Admin\AppData\Local\IHuc1\phoneactivate.exeFilesize
107KB
MD532c31f06e0b68f349f68afdd08e45f3d
SHA1e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26
-
C:\Users\Admin\AppData\Local\MNwZ\DUI70.dllFilesize
1.1MB
MD5db5db1938f5b91bf6865c7b1aa5c5b4c
SHA138ed99f7699c1c201dd1366971fa0e5056f5f5c7
SHA256692e8f2738ea4363f77beb79afa7da4c1554e587ab97e5bf7b65a9f04cc965e5
SHA512a320a43c8c3fee8c869f3a4f808a7f61d418079703d3e3a5b0049500a8d7d6742a5bdfc2b9d762a3ff53f09a5ba8afedbc2243eb9a3966e730eb04c734fbd5d7
-
C:\Users\Admin\AppData\Local\MNwZ\PasswordOnWakeSettingFlyout.exeFilesize
44KB
MD5591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
C:\Users\Admin\AppData\Local\STnIjn\UxTheme.dllFilesize
900KB
MD560ac3dccd77721a3eb313d531eb12abb
SHA1401f4da8c97d70e8225a53f73ed6aeb949e59da4
SHA256335681686434b38e4298fbea1b50fdd56b9df25cf9b1a369dbb47b87fa5c668c
SHA5121e6a629c2fc3ec86ba43c8e813fe86a1259aa45e6d025041cf805c7a3716f0183dce3d8e301464048bc79106810f0c1328b7b41943a3aaaaa651abadb5855373
-
C:\Users\Admin\AppData\Local\STnIjn\isoburn.exeFilesize
119KB
MD568078583d028a4873399ae7f25f64bad
SHA1a3c928fe57856a10aed7fee17670627fe663e6fe
SHA2569478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA51225503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymfrpxarx.lnkFilesize
1KB
MD5ebdcc564b451e9762619b091b6e08ade
SHA1a70203a5ee6d25fd9d18c392e158613f882b50ce
SHA256d595491148dd8e50b434bbcafb8706d60a3f9c9968be9134d6d9ed7a946c722a
SHA512439a72ca0512e25f0b3f7d49f3d6ad87db2e417499f0b8f6760451bee4da5077bdbdfa101a31e316035645c8120c6d12ca90f21b7ac0b9ea0f3d3bf1b84235de
-
memory/440-66-0x0000000140000000-0x0000000140126000-memory.dmpFilesize
1.1MB
-
memory/440-60-0x0000000140000000-0x0000000140126000-memory.dmpFilesize
1.1MB
-
memory/440-67-0x000002438C220000-0x000002438C227000-memory.dmpFilesize
28KB
-
memory/1448-29-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/1448-3-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/1448-4-0x0000016237390000-0x0000016237397000-memory.dmpFilesize
28KB
-
memory/1448-0-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/1520-78-0x0000000140000000-0x00000001400E1000-memory.dmpFilesize
900KB
-
memory/1520-84-0x00007FFE7D000000-0x00007FFE7D0BE000-memory.dmpFilesize
760KB
-
memory/1520-83-0x0000000140000000-0x00000001400E1000-memory.dmpFilesize
900KB
-
memory/3456-23-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-14-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-28-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-27-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-26-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-25-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-24-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-49-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-22-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-21-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-20-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-19-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-18-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-16-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-15-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-30-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-13-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-12-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-10-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-9-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-8-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-52-0x00007FFE7DD40000-0x00007FFE7DD50000-memory.dmpFilesize
64KB
-
memory/3456-53-0x00007FFE7D05A000-0x00007FFE7D05B000-memory.dmpFilesize
4KB
-
memory/3456-46-0x0000000000BD0000-0x0000000000BD7000-memory.dmpFilesize
28KB
-
memory/3456-47-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-37-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-11-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-7-0x0000000140000000-0x00000001400E0000-memory.dmpFilesize
896KB
-
memory/3456-5-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/3836-102-0x00007FFE7D000000-0x00007FFE7D0BE000-memory.dmpFilesize
760KB
-
memory/3836-101-0x0000000140000000-0x0000000140126000-memory.dmpFilesize
1.1MB