Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll
-
Size
101KB
-
MD5
76e8232052319e0e71c7a5eb1a3131d0
-
SHA1
75ff32747108e372029514b3ab47750c10a431e2
-
SHA256
fd1163d790ca745dd7c735282097581a7d76514f4c97925ad99dec624f1076f1
-
SHA512
6d4f8447b2295584cbf068218414e5c2ffa91e3edbd63ac99a5baa2cb00dd3f70e4a4486d9bf365a196d9ba2abd94788248c0ccee2bc6fc53558f4221c1aa2ae
-
SSDEEP
3072:2Mr6N9WfdNAbxBMx49a+Yii3FnkvY11o4:2MqWfdNAN19a+YB7X/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2228 rundll32mgr.exe 2188 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2248 rundll32.exe 2248 rundll32.exe 2228 rundll32mgr.exe 2228 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2228-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2188-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2188-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2188-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2188-74-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2188-75-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\wsdetect.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\JNWDRV.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_udp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\oeimport.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe 2188 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2248 rundll32.exe Token: SeDebugPrivilege 2188 WaterMark.exe Token: SeDebugPrivilege 2508 svchost.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 1728 wrote to memory of 2248 1728 rundll32.exe 28 PID 2248 wrote to memory of 2228 2248 rundll32.exe 29 PID 2248 wrote to memory of 2228 2248 rundll32.exe 29 PID 2248 wrote to memory of 2228 2248 rundll32.exe 29 PID 2248 wrote to memory of 2228 2248 rundll32.exe 29 PID 2228 wrote to memory of 2188 2228 rundll32mgr.exe 30 PID 2228 wrote to memory of 2188 2228 rundll32mgr.exe 30 PID 2228 wrote to memory of 2188 2228 rundll32mgr.exe 30 PID 2228 wrote to memory of 2188 2228 rundll32mgr.exe 30 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2944 2188 WaterMark.exe 31 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32 PID 2188 wrote to memory of 2508 2188 WaterMark.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76e8232052319e0e71c7a5eb1a3131d0_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2944
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize144KB
MD50e94e08dd1f7af3dbf683ff6188108d5
SHA12bb7dc6137a27c42816460a6c7113ee1884a6cad
SHA2560268737f88fdd0f27213bc62f3cd1174f2e25ec4f87bc57a38feb9c09ab92877
SHA512a39a6ec2aa0b4c1af254a07624cc7e71db7814a4ffc297ef5c046a7915ab7dc3bd8b5457b74dea8c1acf9663c51140744f221e7043d42278832c16efab8b370c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize140KB
MD5153344fdf26e4d47f9e8ab6c533a631b
SHA1010652a99ede76e001855ae7b38be23e66ade8d9
SHA256ec64aea3356be7650ef8e8f41eeebeb1535800af86f0a4b216a27bc220e2bd85
SHA5121c8e47aaed3fc4a674df3f10a4e4f0ad88152adfd77645bf0cb356fc37189e3c676cf47309c33e4bc4a045f7ac46e5e93e71c97166df1fb6daa8b84fa91f317e
-
Filesize
65KB
MD5849ef19ec0155d79d4fa5bfb5657b106
SHA1eb7e7ff208ecb40d35755d8f36e31e2482166299
SHA2568b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04
SHA51230384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2