Analysis
-
max time kernel
141s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:29
Behavioral task
behavioral1
Sample
92ae0db2574f133269f27498b3745200_NeikiAnalytics.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
92ae0db2574f133269f27498b3745200_NeikiAnalytics.dll
Resource
win10v2004-20240226-en
General
-
Target
92ae0db2574f133269f27498b3745200_NeikiAnalytics.dll
-
Size
73KB
-
MD5
92ae0db2574f133269f27498b3745200
-
SHA1
4c0173388007ec491cea2d9c7c48fb7224c392cf
-
SHA256
19231df441e959dbf943a3cb5f04585a9c24c31f2445e5ef6b77b2ef1be9955c
-
SHA512
f2c7d74c8a2023235e37462bd9d2e75148a1177059c3efb6ff9355c9b6254544158b28dbdc50b135ceb14c334111e83db5104d98b060b57931d496daecf6b8e4
-
SSDEEP
1536:UZZZZZZZZZZZZpXzzzzzzzzzzzzfP2PIFYa09P6+KIB6YyzMqqU+2bbbAV2/S2s3:07FYb6+KIPIMqqDL2/sEvdCNd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jnicclluwts = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lnhlgf.exe\"" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Z: rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3580 1588 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe 1588 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe PID 1596 wrote to memory of 1588 1596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\92ae0db2574f133269f27498b3745200_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\92ae0db2574f133269f27498b3745200_NeikiAnalytics.dll,#12⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 6243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1588 -ip 15881⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵