Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
667fd5971b9ef1c82d8b8bfd41acdb00_NeikiAnalytics.dll
Resource
win7-20240215-en
General
-
Target
667fd5971b9ef1c82d8b8bfd41acdb00_NeikiAnalytics.dll
-
Size
193KB
-
MD5
667fd5971b9ef1c82d8b8bfd41acdb00
-
SHA1
bde7fd3cb2f21956ce94704909012b88ec65192d
-
SHA256
7bcf78a0c36d5179dabd907f395a7b2ce9d2e4edae9a31963db2804ba7c54f5c
-
SHA512
d4edd5cb34dbd40d1282d7d06aef15026c9c40a7fad3f168d1371b6be6628cf77d5f61f3aaf890de0ad18577bde6fad0e2e24685f8c8bb533bf368b4040f9b16
-
SSDEEP
3072:kMr6N9WfdNAbxBU8jmXrJnEZ4y3wBDkoMxGW:kMqWfdNANbonKaBDYr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2220 rundll32mgr.exe 2632 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 2388 rundll32.exe 2388 rundll32.exe 2220 rundll32mgr.exe 2220 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/2220-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2220-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2632-43-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2632-99-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2632-100-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2632-101-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\bin\dt_socket.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2native.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2ssv.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\nss3.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\msoe.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WaterMark.exepid process 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe 2632 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exeWaterMark.exesvchost.exedescription pid process Token: SeDebugPrivilege 2388 rundll32.exe Token: SeDebugPrivilege 2632 WaterMark.exe Token: SeDebugPrivilege 2844 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2220 rundll32mgr.exe 2632 WaterMark.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exedescription pid process target process PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2388 2204 rundll32.exe rundll32.exe PID 2388 wrote to memory of 2220 2388 rundll32.exe rundll32mgr.exe PID 2388 wrote to memory of 2220 2388 rundll32.exe rundll32mgr.exe PID 2388 wrote to memory of 2220 2388 rundll32.exe rundll32mgr.exe PID 2388 wrote to memory of 2220 2388 rundll32.exe rundll32mgr.exe PID 2220 wrote to memory of 2632 2220 rundll32mgr.exe WaterMark.exe PID 2220 wrote to memory of 2632 2220 rundll32mgr.exe WaterMark.exe PID 2220 wrote to memory of 2632 2220 rundll32mgr.exe WaterMark.exe PID 2220 wrote to memory of 2632 2220 rundll32mgr.exe WaterMark.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2872 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe PID 2632 wrote to memory of 2844 2632 WaterMark.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\667fd5971b9ef1c82d8b8bfd41acdb00_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\667fd5971b9ef1c82d8b8bfd41acdb00_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
328KB
MD5c83dc1ee4c67b3264929ac2c92e45c80
SHA13921b22c52799350946258d31ecec535602837a9
SHA2560492c321cc4b1dd2b6fdabc8db5a72c95e6a5847a1d7d1d62512913008e86ada
SHA51299e2e2ccb821883d360390e83b03d0d01f062ff7c78780aebb272769b511aa888ce4088f1e668935352d4db060cd3d43160f44ebd226b7f66c22393a5e6f2c81
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
324KB
MD542d61bb3f48c12f797e9fbd35e27725b
SHA192a691f3cb678c4ec134a2b2af1103957a6532b2
SHA2563175aed14699ea12b7cd54441e619fb4cf65520a457666759d58b8c4c83caa43
SHA5124859cd7a91d6a3aa81a234ceeeb627505cc6f0e297537028547fd5c2bbbea0b9cbc481a44b00747c8981bb3a7b5d64b169d9ab828dae5cae3cde7dc4c7bf4494
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
157KB
MD506aeaec1acdb69f70a7f3dcb3d1125f8
SHA180296aa67909277501c2ba3987cc86e214e710c6
SHA256fdb9a526885658e9610095a638d6c2df8287cddb8b48b3f0fe938e0630656424
SHA5125eabd6d618e49198146010a2128ab89c5e9715e5f5492360f9ed2136c7f160886bcd1c63414cde09d65f0cfa6abc7aad0cc9414f7f309bf0fd60d53371a9e418
-
memory/2220-13-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2220-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-28-0x0000000000050000-0x0000000000080000-memory.dmpFilesize
192KB
-
memory/2220-20-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-17-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2220-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2220-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2388-11-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2388-14-0x0000000077270000-0x0000000077271000-memory.dmpFilesize
4KB
-
memory/2388-2-0x0000000010000000-0x0000000010033000-memory.dmpFilesize
204KB
-
memory/2388-3-0x0000000000680000-0x00000000006B0000-memory.dmpFilesize
192KB
-
memory/2388-12-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2388-9-0x0000000000680000-0x00000000006B0000-memory.dmpFilesize
192KB
-
memory/2632-35-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2632-43-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2632-44-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2632-75-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2632-101-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2632-100-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2632-99-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2632-45-0x000000007726F000-0x0000000077270000-memory.dmpFilesize
4KB
-
memory/2632-86-0x000000007726F000-0x0000000077270000-memory.dmpFilesize
4KB
-
memory/2844-91-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2844-94-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/2844-77-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2844-87-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2844-96-0x0000000077270000-0x0000000077271000-memory.dmpFilesize
4KB
-
memory/2844-95-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2844-92-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2844-93-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2872-64-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2872-72-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2872-69-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2872-59-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2872-57-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2872-58-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2872-102-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2872-49-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2872-47-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB