Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll
Resource
win7-20240419-en
General
-
Target
71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll
-
Size
157KB
-
MD5
71ec4ee6489f11b90aff02b4f8ff5640
-
SHA1
c5d2cdc654c542233726d96371ee818be20da7d8
-
SHA256
27e6e398dbcc7b229af5d505fbca7ce3e2c14386dd7128ff11dda99b53f66cf9
-
SHA512
aade0187e380f12f21462b20f90d3e96f15dc6bd8de1392d422ef4542f0a61ffecd738d77a86f47d8c772129614724220cb704ad9cbfd152f3d603f765456f5d
-
SSDEEP
3072:IMr6N9WfdNAbxBU69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1r:IMqWfdNANO6yEYZ7DVQgsQLPzo1r
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2176 rundll32mgr.exe 2648 rundll32mgrmgr.exe 2920 WaterMark.exe 2680 WaterMark.exe -
Loads dropped DLL 8 IoCs
pid Process 3036 rundll32.exe 3036 rundll32.exe 2176 rundll32mgr.exe 2176 rundll32mgr.exe 2176 rundll32mgr.exe 2648 rundll32mgrmgr.exe 2176 rundll32mgr.exe 2648 rundll32mgrmgr.exe -
resource yara_rule behavioral1/memory/2680-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2920-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2176-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2648-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2648-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2648-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2648-31-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2176-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2176-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2176-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2176-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2920-151-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2680-153-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_copy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEWSS.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\IACOM2.DLL svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\net.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pencht.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2920 WaterMark.exe 2920 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2920 WaterMark.exe 2920 WaterMark.exe 2920 WaterMark.exe 2920 WaterMark.exe 2920 WaterMark.exe 2920 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe 2680 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3036 rundll32.exe Token: SeDebugPrivilege 2920 WaterMark.exe Token: SeDebugPrivilege 2680 WaterMark.exe Token: SeDebugPrivilege 2168 svchost.exe Token: SeDebugPrivilege 2332 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 2176 rundll32mgr.exe 2648 rundll32mgrmgr.exe 2920 WaterMark.exe 2680 WaterMark.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 2976 wrote to memory of 3036 2976 rundll32.exe 28 PID 3036 wrote to memory of 2176 3036 rundll32.exe 29 PID 3036 wrote to memory of 2176 3036 rundll32.exe 29 PID 3036 wrote to memory of 2176 3036 rundll32.exe 29 PID 3036 wrote to memory of 2176 3036 rundll32.exe 29 PID 2176 wrote to memory of 2648 2176 rundll32mgr.exe 30 PID 2176 wrote to memory of 2648 2176 rundll32mgr.exe 30 PID 2176 wrote to memory of 2648 2176 rundll32mgr.exe 30 PID 2176 wrote to memory of 2648 2176 rundll32mgr.exe 30 PID 2176 wrote to memory of 2920 2176 rundll32mgr.exe 31 PID 2176 wrote to memory of 2920 2176 rundll32mgr.exe 31 PID 2176 wrote to memory of 2920 2176 rundll32mgr.exe 31 PID 2176 wrote to memory of 2920 2176 rundll32mgr.exe 31 PID 2648 wrote to memory of 2680 2648 rundll32mgrmgr.exe 32 PID 2648 wrote to memory of 2680 2648 rundll32mgrmgr.exe 32 PID 2648 wrote to memory of 2680 2648 rundll32mgrmgr.exe 32 PID 2648 wrote to memory of 2680 2648 rundll32mgrmgr.exe 32 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2920 wrote to memory of 2536 2920 WaterMark.exe 33 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2680 wrote to memory of 1840 2680 WaterMark.exe 34 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2920 wrote to memory of 2168 2920 WaterMark.exe 35 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36 PID 2680 wrote to memory of 2332 2680 WaterMark.exe 36
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71ec4ee6489f11b90aff02b4f8ff5640_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:1840
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2536
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize132KB
MD5f5ddccb93fad9297315ecf4e8c417d75
SHA1176684aaf0f091d7ea485506959a7051182acb79
SHA25665583ac321c8444b23d7cc1d416ad218ca154822b9e0ad956d0cf4e53d088fec
SHA512ebed8df43eddd56a8b3b3f3128745c4c6359c44342774b184ff35c3ea25b1b07a391cf5d414614aad9ebcbfc08387f6ff92977fb959a1592d7a6d0ebb4e9ccc6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize128KB
MD5ecd5e84257c8748ccaf49a6709960d29
SHA148e7d3d7ed67edffd837c247e830006d1afde4d2
SHA25662280d339b9345bc8c5eb9c7ebc64f8da8ca50b2891ab8e24688fa7b238ecff4
SHA512bb34f0cc5d37000c0cbae7d3514376609405770cdd3b2f3316ba34e9746d217039d278e223a799a3d2efdb325366c152634a2838d832faec7f94eae3caa8d767
-
Filesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
Filesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3