Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:00
Behavioral task
behavioral1
Sample
11324f2ad46c27faba16aca96f4aba50_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
11324f2ad46c27faba16aca96f4aba50_NeikiAnalytics.dll
Resource
win10v2004-20240226-en
General
-
Target
11324f2ad46c27faba16aca96f4aba50_NeikiAnalytics.dll
-
Size
76KB
-
MD5
11324f2ad46c27faba16aca96f4aba50
-
SHA1
23f4301e90a69222ca4db2416b5e83b37cfa436a
-
SHA256
9d9eff6b06b3056d84e8ecd9272c7172fcce3bcdd7b8cb0bfea6df7572da65a0
-
SHA512
182b63e9fdf612367e1a1f004731c07b51f048d7f66a35020fddc9722864b6c5e8f8a3f462de17b924ae6cb39c3ebb1b2ed752a7ce621c46add71b82b86537c8
-
SSDEEP
1536:BZZZZZZZZZZZZJOEDlwYSMQsGHxg0TS+XKaeMqqU+2bbbAV2/S2TrKUD:zlZHQsozTS+neMqqDL2/TrK
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrfrxrrknjh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\bhlcnx.exe\"" rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2656 5004 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 5004 rundll32.exe 5004 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 412 wrote to memory of 5004 412 rundll32.exe rundll32.exe PID 412 wrote to memory of 5004 412 rundll32.exe rundll32.exe PID 412 wrote to memory of 5004 412 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11324f2ad46c27faba16aca96f4aba50_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\11324f2ad46c27faba16aca96f4aba50_NeikiAnalytics.dll,#12⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6243⤵
- Program crash
PID:2656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 50041⤵PID:4208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:1232