Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll
Resource
win7-20240215-en
General
-
Target
797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll
-
Size
157KB
-
MD5
797cd2ef5bc6b5b41f8508e8d3051120
-
SHA1
09936774ed803a7b72b86baa4144d27d58dc9d4f
-
SHA256
ba0b188e2d49247864e1c709aa9b1467f57a2c73b484418217c1ad678f8645bc
-
SHA512
971c16668ecaec4f127d61ed3af210237c23c536a650789fe8ee0c6537e872899e39111618337073877eedbc0179b02fc3d0176eb970355d23e1c40959decef8
-
SSDEEP
3072:IMr6N9WfdNAbzEJ069VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm18:IMqWfdNAPE+6yEYZ7DVQgsQLPzo18
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2264 rundll32mgr.exe 2548 rundll32mgrmgr.exe 2656 WaterMark.exe 2880 WaterMark.exe -
Loads dropped DLL 8 IoCs
pid Process 1372 rundll32.exe 1372 rundll32.exe 2264 rundll32mgr.exe 2264 rundll32mgr.exe 2548 rundll32mgrmgr.exe 2264 rundll32mgr.exe 2548 rundll32mgrmgr.exe 2264 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2264-51-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2548-48-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2548-33-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2548-32-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2548-31-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2264-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2264-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2264-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2264-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2880-83-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-82-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2880-154-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2656-156-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\cpu.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libh26x_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\osclientcerts.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotionblur_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2880 WaterMark.exe 2880 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2880 WaterMark.exe 2880 WaterMark.exe 2880 WaterMark.exe 2880 WaterMark.exe 2880 WaterMark.exe 2880 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe 2656 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1372 rundll32.exe Token: SeDebugPrivilege 2880 WaterMark.exe Token: SeDebugPrivilege 2656 WaterMark.exe Token: SeDebugPrivilege 2240 svchost.exe Token: SeDebugPrivilege 1192 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
pid Process 2264 rundll32mgr.exe 2548 rundll32mgrmgr.exe 2880 WaterMark.exe 2656 WaterMark.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1724 wrote to memory of 1372 1724 rundll32.exe 28 PID 1372 wrote to memory of 2264 1372 rundll32.exe 29 PID 1372 wrote to memory of 2264 1372 rundll32.exe 29 PID 1372 wrote to memory of 2264 1372 rundll32.exe 29 PID 1372 wrote to memory of 2264 1372 rundll32.exe 29 PID 2264 wrote to memory of 2548 2264 rundll32mgr.exe 30 PID 2264 wrote to memory of 2548 2264 rundll32mgr.exe 30 PID 2264 wrote to memory of 2548 2264 rundll32mgr.exe 30 PID 2264 wrote to memory of 2548 2264 rundll32mgr.exe 30 PID 2548 wrote to memory of 2656 2548 rundll32mgrmgr.exe 31 PID 2548 wrote to memory of 2656 2548 rundll32mgrmgr.exe 31 PID 2548 wrote to memory of 2656 2548 rundll32mgrmgr.exe 31 PID 2548 wrote to memory of 2656 2548 rundll32mgrmgr.exe 31 PID 2264 wrote to memory of 2880 2264 rundll32mgr.exe 32 PID 2264 wrote to memory of 2880 2264 rundll32mgr.exe 32 PID 2264 wrote to memory of 2880 2264 rundll32mgr.exe 32 PID 2264 wrote to memory of 2880 2264 rundll32mgr.exe 32 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2880 wrote to memory of 2844 2880 WaterMark.exe 33 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2656 wrote to memory of 2216 2656 WaterMark.exe 34 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2880 wrote to memory of 2240 2880 WaterMark.exe 35 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36 PID 2656 wrote to memory of 1192 2656 WaterMark.exe 36
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\797cd2ef5bc6b5b41f8508e8d3051120_NeikiAnalytics.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:2216
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2844
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize132KB
MD567701ba02451abf3bc53b8a165170fff
SHA145f4262def81d255c405e31ac3ab38b2e560583d
SHA256397a4a3d2e376845f6d3816af275b19a59acc368dcb661f58093c5b3fc746f8e
SHA512f2466f20831d0acd8b934c7bcc6eff08d1dc7543f354fe42859f1971bb581137d8c5ab86d0c6badea32706cbbc2ca2674e4edabd3a0a288d6a0e411c56e7d1af
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize128KB
MD5c506416a5dd5cbe6fc86cd6fb7585487
SHA133889abac18666814f0d3c61c5df7280ae2e5ebc
SHA256b79816ae0b418e3dd1c50c8afade3c90f539152a0c81daa65374c1d1e4c30982
SHA5129b4e8e338c9582cb07fe5e651bfce4cafefebae5277a1ed1809d02b03acf1a8316dc19d60e3b212b91c555fcd5ffa363fac5cb7502cef6ae441dd491bf398711
-
Filesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
Filesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3