f99ccad6f539e977685c4e6382623cb3e1e5d60a6977895009bc5cb92a9d23ee

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5001c1df67bfa094b926d42dcc9a090_NeikiAnalytics.dll
Size

1.0MB
MD5

f5001c1df67bfa094b926d42dcc9a090
SHA1

9ef324afabe160afbf148e5b0427ae64bbae41cb
SHA256

f99ccad6f539e977685c4e6382623cb3e1e5d60a6977895009bc5cb92a9d23ee
SHA512

7c37238d3b58a11043359ecdf23bdfdedfdfa6ebf6bee642f0014ed9253c7adc5853bd7645465e45dee9fa56d71f8acc9db98881df66c2314a9a4a8d86000e1f
SSDEEP

6144:5i05kH9OyU2uv5SRf/FWgFgtLgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT+:crHGPv5SmptcDmUWuVZkxikdXcq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "\"C:\\Users\\Admin\\AppData\\Roaming\\8dCXfKp\\Utilman.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\8649\ie4uinit.exe	cmd.exe
File created	C:\Windows\system32\8649\ie4uinit.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3764	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\vtUwO.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	rundll32.exe
228	rundll32.exe
228	rundll32.exe
228	rundll32.exe
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found
3600	Process not Found

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found
Token: SeShutdownPrivilege	3600	Process not Found
Token: SeCreatePagefilePrivilege	3600	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3600	Process not Found

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 644	3600	Process not Found	86
PID 3600 wrote to memory of 644	3600	Process not Found	86
PID 3600 wrote to memory of 4176	3600	Process not Found	87
PID 3600 wrote to memory of 4176	3600	Process not Found	87
PID 3600 wrote to memory of 5072	3600	Process not Found	89
PID 3600 wrote to memory of 5072	3600	Process not Found	89
PID 5072 wrote to memory of 460	5072	cmd.exe	91
PID 5072 wrote to memory of 460	5072	cmd.exe	91
PID 3600 wrote to memory of 3760	3600	Process not Found	92
PID 3600 wrote to memory of 3760	3600	Process not Found	92
PID 3600 wrote to memory of 3300	3600	Process not Found	93
PID 3600 wrote to memory of 3300	3600	Process not Found	93
PID 3600 wrote to memory of 1148	3600	Process not Found	94
PID 3600 wrote to memory of 1148	3600	Process not Found	94
PID 3600 wrote to memory of 64	3600	Process not Found	96
PID 3600 wrote to memory of 64	3600	Process not Found	96
PID 64 wrote to memory of 4420	64	fodhelper.exe	97
PID 64 wrote to memory of 4420	64	fodhelper.exe	97
PID 4420 wrote to memory of 3764	4420	cmd.exe	99
PID 4420 wrote to memory of 3764	4420	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5001c1df67bfa094b926d42dcc9a090_NeikiAnalytics.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\I3fdqw.cmd
1⤵
PID:4176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"
  2⤵
  PID:460

C:\Windows\system32\DsmUserTask.exe
C:\Windows\system32\DsmUserTask.exe
1⤵
PID:3760

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\3UkPWKM.cmd
1⤵
- Drops file in System32 directory
PID:1148

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vtUwO.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\8649\ie4uinit.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3UkPWKM.cmd

Filesize
193B

MD5
39b8d50a7d74240949661b2019b9c8e3

SHA1
306e087e40d80ef5116fd31f9c249ad64b2c9463

SHA256
196f5c7454b82604c53a48ada3499d18f181e4b57321e9e8f0d8262196820670

SHA512
f30551f0c5778e0c1efaaf17e68b125bbd059e8e25bbbba1d16d3da3f4d52a8da2f0d1c7a2143d4b825400b9ac4a9cfd488a8347942184cb36b06fd911ddea2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G9K5EE9.tmp

Filesize
1.3MB

MD5
7cfdb4db33ab43784700889e740e6319

SHA1
3bb49aef408a3b20097c3424f2ffca86b07af924

SHA256
6d8cdb13ed76762aa27a30659019c5cbdc0068b16db92d5ef7e2df3a652e7af2

SHA512
514674c5f1c251d74250e31e71da447ff326a6c24188988917f1d8555c1f4647af3607aedd1c0d2b1d2ddd701d1d8125e439eb22ca922b9880cec66efb921e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\I3fdqw.cmd

Filesize
234B

MD5
c9bfebcfc6347abe3168da554147be63

SHA1
b126d06ebd36440184ef43945936b8f5b89b93c2

SHA256
e18d3cd46bea5b348034cf594154e0908b672bb986d4899c99e4b42c17148a4b

SHA512
357f201ec5696fce6739dc4b84b29826b78985eab3f572ffb0c757b7f2d883e53a346094c5fd792e50a20e8328e3c29344a3a2c1774c7192e6b6eebaced40253

Download Submit
C:\Users\Admin\AppData\Local\Temp\I6013.tmp

Filesize
1.0MB

MD5
e014407cab6bc409b9a7df11385dddfe

SHA1
a2dbf3ed79ff8a3ddaac9c101639747adb99ac89

SHA256
ef66d853963df4e009ebbe17a4175d02b9dd247cddc51a7ac1c0f72b052afbd1

SHA512
d8e43c1b1155b0bf24a25e3e6f757c4525913a3272c4856815c546ccf07c02f8a8b5cab8623d2a70282e9071f2fbb56de8467cb4265693d716a4c3eb58532b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtUwO.cmd

Filesize
129B

MD5
9a96252a3eaf06699e0a71bcebe14fd5

SHA1
5a62940d91db242898620c4c2d385bc6f5d463a5

SHA256
c3c1ca85412509f982c18ad768b4a454f4e49d4c26e88a214fbbc1def2368a31

SHA512
efc6896c9c7aa3e059dec724903e988eb54342c2d12d78c236e3669b7d953e10ed07a508b79697e1f9fe92be4f6634121381a4a9911aedf11de65748e082352d

Download Submit
C:\Users\Admin\AppData\Roaming\8dCXfKp\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk

Filesize
912B

MD5
72d4bfec6bd3446749f879ee83bef5cf

SHA1
5a8304759e0e874400c2619949879444afa365f7

SHA256
38f4a3d4a383dc08980923cc9081303fff21537b03355ae97b14db4dde406adf

SHA512
2203e7b714f7b489e69d2e758fbce73a896c09e007aafdf6fc00aaeeccf1aad8e8a60aeb2a4930b43063e537caee22adfc85bf33ebedfb3d3ad199c4fab419f3

Download Submit
memory/228-0-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/228-2-0x00000240F7A10000-0x00000240F7A17000-memory.dmp

Filesize
28KB

Download
memory/228-5-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-18-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-9-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-22-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-21-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-20-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-19-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-31-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-15-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-14-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-13-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-12-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-11-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-10-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-23-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-8-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-17-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-7-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-52-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-35-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/3600-43-0x00007FFEE2340000-0x00007FFEE2350000-memory.dmp

Filesize
64KB

Download
memory/3600-41-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-24-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-16-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/3600-6-0x00007FFEE071A000-0x00007FFEE071B000-memory.dmp

Filesize
4KB

Download
memory/3600-3-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download