Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04/06/2024, 01:52
General
-
Target
1f394dda64257d43eeb09238afbcd150_NeikiAnalytics.dll
-
Size
772KB
-
MD5
1f394dda64257d43eeb09238afbcd150
-
SHA1
ca23c9ccaf34cf14c7ef663d7f9c1a69eae2c83d
-
SHA256
f0f3ad9f2304245eaa09cfb94aa64db68c4aa4a81730a1966c4ca60b3da8efd4
-
SHA512
c4801ac910ae657ed724d54d698345a4167f264533f1c8dbd88ac33edc5ed70d94b820ff07a0387f20ec80f5af8da281abc32525379cde6941fb14e64c8e437f
-
SSDEEP
6144:bi05kH9OyU2uv5SRf/FWgFgt8gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:urHGPv5SmpthDmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f394dda64257d43eeb09238afbcd150_NeikiAnalytics.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\gW4jriK.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"2⤵
-
-
C:\Windows\system32\dinotify.exeC:\Windows\system32\dinotify.exe1⤵
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵
-
C:\Windows\system32\BdeUISrv.exeC:\Windows\system32\BdeUISrv.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0T0rcs.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\eZ5CO.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Trqxvscxs" /SC minute /MO 60 /TR "C:\Windows\system32\6894\BdeUISrv.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
195B
MD5e06657d2c0b81646c0af2bc97c12973b
SHA1d7bf872fc7c334cc9fc91a1295482c40017feb5f
SHA2564584c00d43404400c3fb299dd4da895e19bf6dcd6986a7976fde1d7b507ff019
SHA512f6e8cf4bfafe02f44ca52b7a2405f365f6211cde529142cba31c0fc0c4be3310b97be2df0b273011dd6e16ee0fc1234bb54b3da2f7142224ffe688edc53ae15d
-
Filesize
776KB
MD552664d93978ee44d85590631bdf1a60d
SHA10881ac9061ebe8f06e30501926544928430469d2
SHA25612a4bd59b72f19962ad65c4f7b93cf059b80b991bee6f566320b82c102bc7f01
SHA512e0bb714a4bc1f2c0800d9f309ce9af9d3eb598c188844643fba41a4b0353dae35e336e87e8d5855062ae1561b3b9ac5898f35f71ee15fd2099afa387e63eff4e
-
Filesize
128B
MD5cc48eb809f96c56c894f7663f7a393ea
SHA1f5061ca77c84d9e7068899e955ac2cd0d94a1dee
SHA25658d7c1e501d581419115ba470fe54e72238ee957e3aa099a482b78a4eee6ab02
SHA512ca6851fd575200809866b32e53163360dcfa57e41924006f5df4419661d381b5a12bcccb6cc51e87492bd7ac6691b5ba372fe8f669c3d5e0d91795c6d0f8bff8
-
Filesize
232B
MD567c33fb9e9e198671a7c826a2c50fe66
SHA102b01fb1e1998940e9cb42327db31b643fc7a7f1
SHA2569d0ccdcede162b56615b153017382b5e7c822aa648836a96294f173fa6d0e435
SHA512285ff9735f9cdde931774a471c2366a3694f9adb082769152b4cc87ec9020a31a93582c0ec6b7c330aeb33e1bfc3cd5d788dff6ced81268e5f8c799910a00d86
-
Filesize
776KB
MD5447f1b7364312b3dba2d8b88a175e1f8
SHA1b6e48a947e2ea337b72a82519f93b18fb97b8ba0
SHA256b8aed07d4015017baf1bca72c2b7224e55e9fde76f8c128c42b4cc090eddee89
SHA512c0fe6c9f041e9fd343ff2307e4b1d6e6bb5115900fbc640172c3cd6b24ddf7a69b0fd72119ca4b135dfb52d0e4a112ad0844df257af2d91b5069da36904ac8ec
-
Filesize
880B
MD5eec814ec2d49e48bc214e34fc8494d92
SHA17fa51eaa489b39d4ca13f41adcf796c61a54f2e9
SHA25648020dfc4035dfb5e9b2e8b79bcda2be906645d4494541c9aeb71ba129d65b57
SHA512f9a038c463ba729d6628d381579e73696910d15eb47b636ce927bed0cd3f573e10709a8f56924c6d229056197367e45e8e13684c1ef2a133561fab38e421cfe0
-
Filesize
112KB
MD58b5eb38e08a678afa129e23129ca1e6d
SHA1a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA2564befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
28KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
8KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
772KB
-
Filesize
772KB