15e502896e34d87921319a8830dc75d38580e5d15dcbbd9f9ee882efcabf3352

Analysis

max time kernel
150s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b1984572c2ae6a7dddbf7b56738130_NeikiAnalytics.dll
Size

468KB
MD5

59b1984572c2ae6a7dddbf7b56738130
SHA1

864b626f79aa3a7feaf04c95f20b37d02b18e1bd
SHA256

15e502896e34d87921319a8830dc75d38580e5d15dcbbd9f9ee882efcabf3352
SHA512

29b7089f232e74b0620b2245c40b314d64010d7ac0a11b4b4de49a3aa59e8eb1e28eae3b063bf31bcafff0d4a30375c48f1400ff133b6cefa45ed521a78ea25b
SSDEEP

6144:oi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:7rHGPv5SmptZDmUWuVZkxikdXcq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zyaxxifxvt = "\"C:\\Users\\Admin\\AppData\\Roaming\\RellU1\\rdpshell.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\2577\ddodiag.exe	cmd.exe
File opened for modification	C:\Windows\system32\2577\ddodiag.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4416	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\3K0p8N.cmd"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\ms-settings	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
216	rundll32.exe
216	rundll32.exe
216	rundll32.exe
216	rundll32.exe
216	rundll32.exe
216	rundll32.exe
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found
3412	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found
Token: SeShutdownPrivilege	3412	Process not Found
Token: SeCreatePagefilePrivilege	3412	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3412	Process not Found

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 2376	3412	Process not Found	92
PID 3412 wrote to memory of 2376	3412	Process not Found	92
PID 3412 wrote to memory of 956	3412	Process not Found	93
PID 3412 wrote to memory of 956	3412	Process not Found	93
PID 3412 wrote to memory of 5052	3412	Process not Found	94
PID 3412 wrote to memory of 5052	3412	Process not Found	94
PID 3412 wrote to memory of 4000	3412	Process not Found	95
PID 3412 wrote to memory of 4000	3412	Process not Found	95
PID 3412 wrote to memory of 1976	3412	Process not Found	97
PID 3412 wrote to memory of 1976	3412	Process not Found	97
PID 1976 wrote to memory of 652	1976	cmd.exe	99
PID 1976 wrote to memory of 652	1976	cmd.exe	99
PID 3412 wrote to memory of 1152	3412	Process not Found	100
PID 3412 wrote to memory of 1152	3412	Process not Found	100
PID 3412 wrote to memory of 4316	3412	Process not Found	101
PID 3412 wrote to memory of 4316	3412	Process not Found	101
PID 3412 wrote to memory of 4600	3412	Process not Found	103
PID 3412 wrote to memory of 4600	3412	Process not Found	103
PID 4600 wrote to memory of 3060	4600	fodhelper.exe	104
PID 4600 wrote to memory of 3060	4600	fodhelper.exe	104
PID 3060 wrote to memory of 4416	3060	cmd.exe	106
PID 3060 wrote to memory of 4416	3060	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\59b1984572c2ae6a7dddbf7b56738130_NeikiAnalytics.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Windows\system32\DsmUserTask.exe
C:\Windows\system32\DsmUserTask.exe
1⤵
PID:2376

C:\Windows\system32\NetCfgNotifyObjectHost.exe
C:\Windows\system32\NetCfgNotifyObjectHost.exe
1⤵
PID:956

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:5052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\u3GCno4.cmd
1⤵
PID:4000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6893c48b-093d-67fa-0118-e174d21e6c79}"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6893c48b-093d-67fa-0118-e174d21e6c79}"
  2⤵
  PID:652

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RF70Ejn.cmd
1⤵
- Drops file in System32 directory
PID:4316

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3K0p8N.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Zjytiviekgag" /SC minute /MO 60 /TR "C:\Windows\system32\2577\ddodiag.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3K0p8N.cmd

Filesize
130B

MD5
d7b2fa08987dc6f71381ee56d14ce129

SHA1
91d01921a2cda0feec6b0d5891902a40d43ab363

SHA256
fd3d5dc7cfc78649d77b98ae0ea8ec4e76faf49d5ce6b454397204b8a8b654da

SHA512
70d40903c95aef7c6b51dc260fd26c77c639ef99e819bee70cfad7788e102cf34616743b9d47a555ee009c423d2acd2f819ab1ce376c8ecb9c3e90cbb4266e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RF70Ejn.cmd

Filesize
192B

MD5
1fafcbc588fd772bb5a1e1e469d28171

SHA1
3b09e1d9242a51ed12a074b4e6e85509e419cdac

SHA256
a90649281a28ae7ed8cbaf64c08aff72c69817d7a07b00598c2a9321de0e3090

SHA512
23ac682f76ef37edfd8dd52d14b12e1fedf916369e6c4104dff81602f7a8aa5e342c1abe60e0b69231a76bdbe77efe79efc5d6971cd3feffb8b573ebd31b849d

Download Submit
C:\Users\Admin\AppData\Local\Temp\U64A6.tmp

Filesize
468KB

MD5
c313c61546841496e0d3350988d1e939

SHA1
2e84cf0144cffa7d26f315ff3075748e89a1f2bf

SHA256
7c69322d47957e9fe83507c2e7c15ea7ffc2720dcdfd91565cc9fb832ceff89f

SHA512
3958898789f26d6f6ba89f504a3bcda254acfa828b754c1b4a58c274f474c5493e4fbbcb5a50db8ed274d80c48072a7f1bd8e9e2ed64fe5310bc6ca653f8f391

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6225.tmp

Filesize
472KB

MD5
41886bf2f308c50c62a9bf567a153656

SHA1
896163acea33ea9fbf7f645337ddfd334908c066

SHA256
dd8629ba985610182694a0bbb9aba8e32f25cff419f2590fbeb70654847126e2

SHA512
e5868f38d993884dd1bfd84ccd204911835dcbf5ba88cbb43b56b1a64e26279856d9c1b55746fb9a596fc33cf65aeaabbdbb1684e8ebfd48e1dfb721e951a568

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3GCno4.cmd

Filesize
231B

MD5
e087a13c3a5e3207aa8e6cb49c313a86

SHA1
e6902f03bffe4da3fce9f652ecd678d5b0acaacd

SHA256
bd85e13e47646e689cbc90964c556d893e5196fc50be31f7a35ed2f6d99fb7ff

SHA512
cb471ebe91ff526b909ad493ebf3e1fa36d716dd6003fc838fb0175e8b40b9b81f18c096853635990191cb4cf7beae1f6930ea3b36c80f3e05507a18f5de6b65

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zyaxxifxvt.lnk

Filesize
910B

MD5
67d697a63835540696ba01c90c68bfad

SHA1
5c6588cd52c0e963939d91ac01d3c450d95ad9cb

SHA256
56bf76a0a3111346aa5d6b40c68f904fa0ea69b5d655e856c7d4cfad1c4df290

SHA512
bf127756390b24c4b466b24f7a655819b95aa38b2c855014df652ba3f49ae6fc379d4f7006e225b226420f9ba48629524ad781b8781f1771dd5b52d41b5d57db

Download Submit
C:\Users\Admin\AppData\Roaming\RellU1\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
memory/216-0-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/216-2-0x0000028D13B20000-0x0000028D13B27000-memory.dmp

Filesize
28KB

Download
memory/216-6-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-12-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-32-0x00007FFEA16E0000-0x00007FFEA16F0000-memory.dmp

Filesize
64KB

Download
memory/3412-14-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-13-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-16-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-11-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-10-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-9-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-19-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-8-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-7-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-15-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-38-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-17-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-27-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-31-0x0000000000A00000-0x0000000000A07000-memory.dmp

Filesize
28KB

Download
memory/3412-48-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-20-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-18-0x0000000140000000-0x0000000140075000-memory.dmp

Filesize
468KB

Download
memory/3412-3-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3412-5-0x00007FFEA092A000-0x00007FFEA092B000-memory.dmp

Filesize
4KB

Download