Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll
-
Size
157KB
-
MD5
2dd679cfde3da100f00bb847f8f14b00
-
SHA1
2c38960b235d278311536ed7d023cbf30e022117
-
SHA256
54ca0786d43bab6d703663c08a1cd05af8a44898f1a1b2a8884ea6b65284b880
-
SHA512
797680843853477faef775f9d82505d15ff17987f23526b6c7495aca17062dae46a1f7e68af3cb625bb2daa21878ef19632e87b40bbba4bfd1c05bae2e1c82b0
-
SSDEEP
3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1G:IMqWfdNANG6yEYZ7DVQgsQLPzo1G
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 1640 rundll32mgr.exe 2276 rundll32mgrmgr.exe 2764 WaterMark.exe 2616 WaterMarkmgr.exe 1880 WaterMark.exe 1744 WaterMark.exe -
Loads dropped DLL 12 IoCs
pid Process 1616 rundll32.exe 1616 rundll32.exe 1640 rundll32mgr.exe 1640 rundll32mgr.exe 1640 rundll32mgr.exe 1640 rundll32mgr.exe 2764 WaterMark.exe 2764 WaterMark.exe 2616 WaterMarkmgr.exe 2616 WaterMarkmgr.exe 2276 rundll32mgrmgr.exe 2276 rundll32mgrmgr.exe -
resource yara_rule behavioral1/memory/1640-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2276-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1880-86-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2616-78-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2616-72-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2764-55-0x0000000000120000-0x0000000000143000-memory.dmp upx behavioral1/memory/1640-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2276-37-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1640-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1640-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1640-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1640-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1640-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1744-135-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2764-183-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll svchost.exe File opened for modification C:\Program Files\RedoProtect.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFPrevHndlr.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\zip.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabIpsps.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe svchost.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\hxdsui.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2764 WaterMark.exe 2764 WaterMark.exe 1880 WaterMark.exe 1880 WaterMark.exe 1880 WaterMark.exe 2764 WaterMark.exe 1880 WaterMark.exe 2764 WaterMark.exe 1880 WaterMark.exe 2764 WaterMark.exe 1880 WaterMark.exe 2764 WaterMark.exe 1880 WaterMark.exe 1880 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1616 rundll32.exe Token: SeDebugPrivilege 2764 WaterMark.exe Token: SeDebugPrivilege 1880 WaterMark.exe Token: SeDebugPrivilege 1468 svchost.exe Token: SeDebugPrivilege 1336 svchost.exe -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 1640 rundll32mgr.exe 2276 rundll32mgrmgr.exe 2616 WaterMarkmgr.exe 2764 WaterMark.exe 1880 WaterMark.exe 1744 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 2076 wrote to memory of 1616 2076 rundll32.exe 28 PID 1616 wrote to memory of 1640 1616 rundll32.exe 29 PID 1616 wrote to memory of 1640 1616 rundll32.exe 29 PID 1616 wrote to memory of 1640 1616 rundll32.exe 29 PID 1616 wrote to memory of 1640 1616 rundll32.exe 29 PID 1640 wrote to memory of 2276 1640 rundll32mgr.exe 30 PID 1640 wrote to memory of 2276 1640 rundll32mgr.exe 30 PID 1640 wrote to memory of 2276 1640 rundll32mgr.exe 30 PID 1640 wrote to memory of 2276 1640 rundll32mgr.exe 30 PID 1640 wrote to memory of 2764 1640 rundll32mgr.exe 31 PID 1640 wrote to memory of 2764 1640 rundll32mgr.exe 31 PID 1640 wrote to memory of 2764 1640 rundll32mgr.exe 31 PID 1640 wrote to memory of 2764 1640 rundll32mgr.exe 31 PID 2764 wrote to memory of 2616 2764 WaterMark.exe 32 PID 2764 wrote to memory of 2616 2764 WaterMark.exe 32 PID 2764 wrote to memory of 2616 2764 WaterMark.exe 32 PID 2764 wrote to memory of 2616 2764 WaterMark.exe 32 PID 2616 wrote to memory of 1880 2616 WaterMarkmgr.exe 33 PID 2616 wrote to memory of 1880 2616 WaterMarkmgr.exe 33 PID 2616 wrote to memory of 1880 2616 WaterMarkmgr.exe 33 PID 2616 wrote to memory of 1880 2616 WaterMarkmgr.exe 33 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 2764 wrote to memory of 1520 2764 WaterMark.exe 35 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 1880 wrote to memory of 1608 1880 WaterMark.exe 34 PID 2276 wrote to memory of 1744 2276 rundll32mgrmgr.exe 36 PID 2276 wrote to memory of 1744 2276 rundll32mgrmgr.exe 36 PID 2276 wrote to memory of 1744 2276 rundll32mgrmgr.exe 36 PID 2276 wrote to memory of 1744 2276 rundll32mgrmgr.exe 36 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 1880 wrote to memory of 1336 1880 WaterMark.exe 37 PID 2764 wrote to memory of 1468 2764 WaterMark.exe 38 PID 2764 wrote to memory of 1468 2764 WaterMark.exe 38 PID 2764 wrote to memory of 1468 2764 WaterMark.exe 38
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dd679cfde3da100f00bb847f8f14b00_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1744
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1608
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:1520
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize257KB
MD5356571db7e393dbe5e9c628ee43612ab
SHA1b04771d0317e87b68c5e6171dacaa564f566896a
SHA256472212a183c238dfd89e62797af0dff4ffa810f05f6f09979f0fff6f0ef37916
SHA5122f7a3d1a0564006fd6702a7f52a8ffb7487aefa41ddb58ac654dc7248e55a4196b71374336bde53dbd1fd13fcbb48b471a07f9460462763455633ef9eda00a26
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize253KB
MD5208f63874ee14e8d4305561a889eebed
SHA1c6b5a8a8db953f9d33d5ca873849c6f9a72eeaa1
SHA256faa12f453b6fb385d6d602d3db121aa10b9f7664fd2a2c403f46087c1ba35a9a
SHA512d98ae5a611635eb2a0e8c7aa1c129238e703841323580102ac001da3313ee2d91a7b2f959b5146ac8859d5d4de116848d842477dbbf5b0c5c50ac67445b4a9b1
-
Filesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
Filesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699