Overview

overview

7

Static

static

3

e9c77ff857...cs.dll

windows7-x64

7

e9c77ff857...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c77ff857afd14fe12e4ba6067a3b60_NeikiAnalytics.dll

  • Size

    540KB

  • MD5

    e9c77ff857afd14fe12e4ba6067a3b60

  • SHA1

    6ab740ea7f433a7bbbcf9bf2210c0c6178696540

  • SHA256

    7727cfd67763fc7715091d501c592054d94e4714b02338d394b4aadc63ad538d

  • SHA512

    21a1a685103b861996b0c1f1b8c98ab8b64c8136286d2357338bdb504baaa6c12a4534077d4f1eb9a731446a66eece54a9b5aca82b1763bad30933e66ce38ce6

  • SSDEEP

    6144:Bi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:ErHGPv5SmptZDmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9c77ff857afd14fe12e4ba6067a3b60_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2252
  • C:\Windows\system32\MusNotifyIcon.exe
    C:\Windows\system32\MusNotifyIcon.exe
    1⤵
      PID:2788
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vGqvw.cmd
      1⤵
        PID:1352
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{efcc2aac-e689-e8e3-2066-d8bb45569766}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{efcc2aac-e689-e8e3-2066-d8bb45569766}"
          2⤵
            PID:1076
        • C:\Windows\system32\MDMAppInstaller.exe
          C:\Windows\system32\MDMAppInstaller.exe
          1⤵
            PID:3760
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\jRPHWM.cmd
            1⤵
            • Drops file in System32 directory
            PID:3532
          • C:\Windows\System32\fodhelper.exe
            "C:\Windows\System32\fodhelper.exe"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:3692
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3kQdbK2.cmd
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:440
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Create /F /TN "Jsuawhgxxu" /SC minute /MO 60 /TR "C:\Windows\system32\4454\MDMAppInstaller.exe" /RL highest
                3⤵
                • Creates scheduled task(s)
                PID:1544

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\2B35515.tmp
            Filesize

            544KB

            MD5

            19ff03830241bf58e6d0e1bd940a83fa

            SHA1

            bf1323aba8701923762fd8ed34a1546fe82b561b

            SHA256

            efbd29f42d69c007b1b3d3af930080cc0aa82991015784f57af6b1c96c6baa7a

            SHA512

            cf2ea56956eb240fee43c141cfaffea2c5d32317dc90189235eebdb7a32a4c8c04fc055a12801a7d22232dfbd9549e1739922ee7480b00a15b9f0292ad4a4adc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3kQdbK2.cmd
            Filesize

            136B

            MD5

            ebfc723844f1d03c69a6343470a6a761

            SHA1

            56f9b02c3a20a8cc0850bfcf957986067e3866bf

            SHA256

            ab21ad1a96d3a0c3082a99926b786953834d5b36c5fa5e4c2ab668491886a7c6

            SHA512

            343bbaed8c59a7669916db258a41f2f790c7fdfa3cabf4fdcf41a4c6d2eb34fe2f5e6bad6e995d069f67114e5af1309ce4ede4b63e50ab1c547bca21c15d2275

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jRPHWM.cmd
            Filesize

            201B

            MD5

            d671c406bdd876a15486f1360277d659

            SHA1

            ff6532493f9df32eece20a96d732715685a0f1cf

            SHA256

            4ccadc10826f24c5e0f6d14b728a1550d0a8d7515b6a762a21d634321fd07446

            SHA512

            0713609ac990a3803d883c308baad5e4bc8d582c1f52e24cb32b2eea1eba7d97a2c05a05f94826dc5c5c81e10cd297def2b07d783570a4f85971e99d2e2a04bd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\t56CC.tmp
            Filesize

            544KB

            MD5

            f38b7c187a49a006af5f797c7f36cc98

            SHA1

            af3cadd6a6bb8bae84a845eac9e9a65c8c4469cc

            SHA256

            b5c96a455d3007aa2c2735f8e2e446259364c4f5ff5817040d80150ea8cbbaf3

            SHA512

            6478e3891d57f1dd77bbb0b004ba4cbd70f74ef6d6f209950484aebe09ea1a8dc8736c489eab33acab62cd9f819f8a6642f79e969430b5342f55044379cf6f38

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\vGqvw.cmd
            Filesize

            232B

            MD5

            6f5aefae919594cbaeb68ef0ee684d71

            SHA1

            b6920f2294fbb365e0bdb691efc355316dc4aeb2

            SHA256

            f266eaa5652f571fbbdb4bd7371601e3edc724ae11edb75c913b2772f4bc649a

            SHA512

            ed95ad8cb5ce9a043b5b546970f039565aacb68bb25133a3b50b078adafb728c95fd773c69689545d4152a6675ad5c804b454799e2bbd97ac28a3aff250683fb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\9L5P\MusNotifyIcon.exe
            Filesize

            629KB

            MD5

            c54b1a69a21e03b83ebb0aeb3758b6f7

            SHA1

            b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

            SHA256

            ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

            SHA512

            2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Bhelxfhv.lnk
            Filesize

            928B

            MD5

            12dc19f964e91e4ec3e5a1d3571ad24d

            SHA1

            186b64f37eba40c41bbe7d8ad29d4e2d945af522

            SHA256

            72f41e01c2777a214fe91f31c4acc8a13e4cb1bcd0d69456139cb173c476a0f3

            SHA512

            8d2f2a530e0bffb2a73d18744d55766738b2c0eccb8046ac228953ca7c8b063234a3f7002dffeb013e0905f28564d43dee51ed60da1d937d3f5b98f6bad3ecd0

            Download Submit

          • memory/2252-0-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/2252-2-0x0000025ACD0D0000-0x0000025ACD0D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2252-6-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-16-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-10-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-23-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-22-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-21-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-20-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-19-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-18-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-41-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-14-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-13-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-12-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-11-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-24-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-9-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-8-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-25-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-7-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-43-0x0000000002CA0000-0x0000000002CA7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3476-44-0x00007FFB617C0000-0x00007FFB617D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3476-32-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-53-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-17-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-15-0x0000000140000000-0x0000000140087000-memory.dmp

            Filesize

            540KB

            Download

          • memory/3476-3-0x0000000002D40000-0x0000000002D41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3476-5-0x00007FFB5F87A000-0x00007FFB5F87B000-memory.dmp

            Filesize

            4KB

            Download