Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 06:18
Static task
static1
Behavioral task
behavioral1
Sample
7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll
-
Size
101KB
-
MD5
7ae73e937719ef5543838d19cb2cb410
-
SHA1
8b9f2a12ff21b8083fd54a88f1225b451aca9cbd
-
SHA256
46fccb29f5b11a1f24ccaddbf434e82258e58637b26cc7d6c7da39e1cb348ac7
-
SHA512
bdaabefaa3e2e57d15e3395c93d0ce451f4f3b1fdcc3cedf5d6b45747476c227ac0c75a00f09d1fe8dc4df6263aa92dd66fe9d51a19b689eb7d2f35a1fd8155f
-
SSDEEP
1536:hcMr6N99X0fdNAbxBEA0HoHuqmCbEVwh4hlp1KB3yvi94MOXX9Wo/n:2Mr6N9WfdNAbxBEAZHglVwEDnvG/OcQn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 1456 rundll32mgr.exe 2108 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 2768 rundll32.exe 2768 rundll32.exe 1456 rundll32mgr.exe 1456 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/1456-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-72-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-73-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\MemoryAnalyzer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextService.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java_crw_demo.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penusa.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libadaptive_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\IACOM2.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WaterMark.exepid process 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe 2108 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exeWaterMark.exesvchost.exedescription pid process Token: SeDebugPrivilege 2768 rundll32.exe Token: SeDebugPrivilege 2108 WaterMark.exe Token: SeDebugPrivilege 1000 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exedescription pid process target process PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2768 2512 rundll32.exe rundll32.exe PID 2768 wrote to memory of 1456 2768 rundll32.exe rundll32mgr.exe PID 2768 wrote to memory of 1456 2768 rundll32.exe rundll32mgr.exe PID 2768 wrote to memory of 1456 2768 rundll32.exe rundll32mgr.exe PID 2768 wrote to memory of 1456 2768 rundll32.exe rundll32mgr.exe PID 1456 wrote to memory of 2108 1456 rundll32mgr.exe WaterMark.exe PID 1456 wrote to memory of 2108 1456 rundll32mgr.exe WaterMark.exe PID 1456 wrote to memory of 2108 1456 rundll32mgr.exe WaterMark.exe PID 1456 wrote to memory of 2108 1456 rundll32mgr.exe WaterMark.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 2748 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe PID 2108 wrote to memory of 1000 2108 WaterMark.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ae73e937719ef5543838d19cb2cb410_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
144KB
MD5bd2ed41c14b95324bd16cb3a96f8ea9c
SHA187734d27d4834b26e47a0fca77056f32f8872767
SHA256e70daaca6873f0cfa4bbf8208b68db83ed97738a895c64a78cd8ab3c54535292
SHA512e799cc32afd82f5064ebef02e3ae8ff853eb41eadab5120e66c675140e4562e70121904e16c0013e94cb391fe3ee06d42fbc694558fbbb3625f70acf32527381
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
140KB
MD5d7192b5888e68eec487c21fff1caeb3f
SHA1c2902a49d991dad92c3d9d1af13afc375019214f
SHA2564b44e6b9128216f94812b512560f3f2879f7c94f9f90b271a8e8333dd5a2fe91
SHA512d67827de575fb0171b7b3cfe71e01c621c6a8415a852696d3342b79e1052c8c5ce5b1227510cb851fe400b344f85e8c802a7b8ac098f2ff04719640d9576e973
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2
-
memory/1000-53-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1000-69-0x0000000077BB0000-0x0000000077BB1000-memory.dmpFilesize
4KB
-
memory/1000-65-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1000-66-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1000-67-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1000-68-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1000-64-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1000-60-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1456-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2108-26-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2108-59-0x0000000077BAF000-0x0000000077BB0000-memory.dmpFilesize
4KB
-
memory/2108-73-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2108-72-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2108-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2108-51-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/2108-25-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2748-39-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2748-43-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2748-41-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2748-34-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2748-42-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2748-47-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2748-28-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2748-30-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2748-74-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2768-13-0x00000000002D0000-0x00000000002DE000-memory.dmpFilesize
56KB
-
memory/2768-9-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2768-10-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2768-2-0x0000000010000000-0x000000001001C000-memory.dmpFilesize
112KB