Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
03/06/2024, 15:30
General
-
Target
05b0ecc5437ee37d57f6bee7f49c6da0_NeikiAnalytics.dll
-
Size
772KB
-
MD5
05b0ecc5437ee37d57f6bee7f49c6da0
-
SHA1
eed97e35bf9b5b481a9a2229ebd79c0dbf1c24c7
-
SHA256
16039a28c20113cadf04d3777b3edc261e88e5ac809c7cf0fc99f8a8f87de351
-
SHA512
1d0f78a863a2b3f2b88af41e15cda51f2f2f4bfc8bb7b04d0532e4ac9245e13969ef28ea3e9e2e83fc0535c08e34ac764cb212bc73b3fcf4775efb9a342e7c1d
-
SSDEEP
6144:Yi05kH9OyU2uv5SRf/FWgFgtdgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:rrHGPv5SmpteDmUWuVZkxikdXcq
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\05b0ecc5437ee37d57f6bee7f49c6da0_NeikiAnalytics.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\kuXDxjs.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{c8fa0120-b654-32d4-0e47-613d2c4281e9}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{c8fa0120-b654-32d4-0e47-613d2c4281e9}"2⤵
-
-
C:\Windows\system32\EduPrintProv.exeC:\Windows\system32\EduPrintProv.exe1⤵
-
C:\Windows\system32\grpconv.exeC:\Windows\system32\grpconv.exe1⤵
-
C:\Windows\system32\SystemPropertiesAdvanced.exeC:\Windows\system32\SystemPropertiesAdvanced.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vQ4R.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\W4er.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Arqdxytqgr" /SC minute /MO 60 /TR "C:\Windows\system32\3545\SystemPropertiesAdvanced.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
772KB
MD5e356f90ae7719977dfd6f37bed39fb04
SHA13a70581275d14abb70cf3f1e3c80375cbcbd229a
SHA2565e594c27a250369924d363a2818cbf9f343f3ef3c5f1000d86ae77593c084666
SHA512df47740d8cd50f8cde749b5a1bfd64f9cee31f8c9e8f9c96495412bd7d86288e46cff15bae9183272dea4a62e59f4f74eefdce8d3fed77047f2545bb996ae4ec
-
Filesize
776KB
MD5b4816ced25e9e29b6307c964fc361e3b
SHA14fd0b066eb8355828b357f9cfb1790fb2f822d36
SHA2569b17e729859526b9ddb6ce940269bf8efad57afe28e059808e488d0d2dfc1b0b
SHA512431a46ecf7b9b591b183db992de5605b497b6d0a24f7c9c11d2af0b00fef7e00c9c5f1f85924dde72b6eb8d9212c453279aa66de41443acb9e1da67106f58301
-
Filesize
145B
MD52e009f33d5fdc67299f9c55e04f1d196
SHA1240401d655fb6ac3d9a41d629f207e5b5cf202dc
SHA2563c09419402789164166a3c24cff09fef07014ba8091810ece9c99eda8c27537f
SHA51298d6d41a71609cca2a278b7ce30c532a76267b967b1d78c59a6d2e6251d45f6152b36fbe7669feba995064b59c4cc0fc8740efd3497b7de705a3a56edae3b2c7
-
Filesize
230B
MD52e1d5d7b2cdcbec9433b65137c83fd2b
SHA11606898b9aa0687f808c37e9b8435439c07997e1
SHA256a7a57a48c8642d70365d616002149d7134c53b1ff3e9f0ad23cd2d19999f868d
SHA5120bdb6d303570472afeba42cbd374130a943b01c0fa6d2e5adef30c85306ab65cc3a9635689675e00ee3dcc7fda34995260e38b92ac213bff69de60fb66a198f3
-
Filesize
207B
MD5dbf1b4ff7a224060560311e793d409a3
SHA1eee0b37990164c1cf4cc6915df5156dfef33aaf0
SHA2564399af7f04a67b00187c339cb1e43f00478ec6c10525dbe866ba8f44d6b8993b
SHA512d52b52a04bc5a204ef824db8d684611764d7a9a82d587f6b1d395770cff7cd8c601319c7d35f463cfbfd166f6c9a6ece60e1d9d4a1d04bd9da79f8ffc9c2cb18
-
Filesize
639KB
MD54029890c147e3b4c6f41dfb5f9834d42
SHA110d08b3f6dabe8171ca2dd52e5737e3402951c75
SHA25657137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d
SHA512dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d
-
Filesize
904B
MD54e87245ad63761b6b8c7f29fb439a953
SHA1235e014ca5a13fed7cc06b458bb169bd55159849
SHA256b548a4ddfbeee972292ad366ba921b55b3b0462924f829acc56a383c43edfdc9
SHA512fcaef5d498e637ac6d854fb93fc886a46187907499bcab84c1eebf8ca115b749eb8ea77c14355237a1112ed7f0f65ca9dd90eb019ca078f7ff97512c03faa5ee
-
Filesize
772KB
-
Filesize
28KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
4KB