Overview

overview

7

Static

static

3

4b4127e52c...cs.dll

windows7-x64

7

4b4127e52c...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b4127e52c665a281752581179575430_NeikiAnalytics.dll

  • Size

    752KB

  • MD5

    4b4127e52c665a281752581179575430

  • SHA1

    c4b3a00278b6a41caf09138ae877afc6892a78bc

  • SHA256

    db0b2b8efdc4a8679c545205a5188a98f6fd9659839848f3d462272c1c5f2c57

  • SHA512

    418c1dce9ea6d684c67667c13fba3fce83e65804dc2c33a47cd56c5a49bf660e282aac02db8f6ee51f3994108f2c1960a0866c809260d6ba888ece362d97dfa4

  • SSDEEP

    6144:ei05kH9OyU2uv5SRf/FWgFgtbgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTt:xrHGPv5SmptsDmUWuVZkxikdXcqut

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b4127e52c665a281752581179575430_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2980
  • C:\Windows\system32\pcaui.exe
    C:\Windows\system32\pcaui.exe
    1⤵
      PID:2396
    • C:\Windows\system32\mshta.exe
      C:\Windows\system32\mshta.exe
      1⤵
        PID:2548
      • C:\Windows\system32\dpapimig.exe
        C:\Windows\system32\dpapimig.exe
        1⤵
          PID:2432
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Wgmi.cmd
          1⤵
            PID:2480
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{af200ed5-1aeb-7147-dc8f-85fa319e0b86}"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{af200ed5-1aeb-7147-dc8f-85fa319e0b86}"
              2⤵
                PID:2668
            • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
              C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
              1⤵
                PID:2700
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\P2QLF0.cmd
                1⤵
                • Drops file in System32 directory
                PID:2672
              • C:\Windows\System32\eventvwr.exe
                "C:\Windows\System32\eventvwr.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2800
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QHHOjp.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1448
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Cnmwowrqih" /SC minute /MO 60 /TR "C:\Windows\system32\8714\SystemPropertiesDataExecutionPrevention.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:2924

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7L1C96.tmp
                Filesize

                756KB

                MD5

                97723fb9610e40a11964469250420874

                SHA1

                9a54221c98f65c581c2a5810e7fb8758a093635f

                SHA256

                cea426e001921e8047794596e9e602515170a05e0223656b0b64ebf5278dbec7

                SHA512

                c894557cf6ace02e7c7c4870471a299f082495aff99ec3f665ab4706efb5bc25c5c19d3a04073c52091281a23461b2803384fee61bcc7550823cc1ca1f383098

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\P2QLF0.cmd
                Filesize

                223B

                MD5

                5fbbe9b63b82a45f5b8c0583a81554a1

                SHA1

                b0aa9c1ae0beae525de1cd13f2e29a283b24e317

                SHA256

                a2bafb2ebd9ded1056b9788697685accc169e3225352a26214c5d04a9523c1b9

                SHA512

                74a87d9e85a61474764a01245002828681d352b135711b9acdcdfe9e67a70ef5bd7a15750a7800d4ee7293cb280f909e79982d0d998fc12339275c5665ec186b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\QHHOjp.cmd
                Filesize

                160B

                MD5

                d4d41d452c4287859182f05d90ec95da

                SHA1

                2605a6aef3b30cd48bf81ed365365f76cd2870bf

                SHA256

                79bb4264924bf6ed81751b000fdf82a102f5360cd62c1fd6604ee48adf601c82

                SHA512

                bc5de4fec5d7195d3be19a80c116ff5c3f4ac6c2a85c6f0979d18d8195f452cb6900edfb20e9fa2ab233081b6b94668ebc755a725d1a94161dcd29cc621b8c44

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Wgmi.cmd
                Filesize

                224B

                MD5

                d46612f4c4d2af5fb0d23ed56c12d1da

                SHA1

                90e0e65d457392d2bf1a9f7fdff6bcf85b459393

                SHA256

                051c11ac2bac1380715078897d3f6b48607bbb189337b757a6995d28650eb3a3

                SHA512

                d2ea46963521f86d2d247df3745d2ecbc46936b2e1dcc4e523ffe1e97d9a46e2ea0e58897724b6f41a08dcc9c6ac3e7264846bf7beba221cacd0fa7e157f1f86

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c1C09.tmp
                Filesize

                960KB

                MD5

                bbd7a79cdd1b3561f3e7463503de4a77

                SHA1

                1006f89a45426548061518d85d8cd79360877e3c

                SHA256

                b13284bf457705aa8954bf355176832559c1927b2fda394eee287931d5cdff62

                SHA512

                a1a26ad8bc6eeda49790c7fe73500716502b65768ea79ccc2dd6b9a92ac4c71c9cd9b19a99040b87e38540e8bd74f5391cca6809e85634c41b7d6f969747d67c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aknlhzir.lnk
                Filesize

                876B

                MD5

                3a2ac8f6ccf35d815396578fb630a610

                SHA1

                2d44fbf928cb480f1d235f57bffbcb9fb7a41918

                SHA256

                f43234325cd01a9a5992ded7a37e2e96876281f1324725534e06a2702084afa2

                SHA512

                8239b0ee8bf713b0817f939ba7659e64ed5ce1f859fd4f128bba9b4cb18357247783aae99c13b14d216ff710efec1d4c73eae393bd183be62a62e235b586ab94

                Download Submit

              • C:\Users\Admin\AppData\Roaming\xRNN\dpapimig.exe
                Filesize

                73KB

                MD5

                0e8b8abea4e23ddc9a70614f3f651303

                SHA1

                6d332ba4e7a78039f75b211845514ab35ab467b2

                SHA256

                66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

                SHA512

                4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

                Download Submit

              • memory/1200-13-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-9-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-30-0x00000000024D0000-0x00000000024D7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1200-29-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-22-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-19-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-18-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-17-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-16-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-15-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-14-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-94-0x0000000077596000-0x0000000077597000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1200-12-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-11-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-10-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-21-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-31-0x00000000777A1000-0x00000000777A2000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1200-40-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-46-0x0000000077900000-0x0000000077902000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1200-47-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-45-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-44-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-20-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-7-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-8-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/1200-3-0x0000000077596000-0x0000000077597000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1200-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2980-6-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/2980-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2980-0-0x0000000140000000-0x00000001400BC000-memory.dmp

                Filesize

                752KB

                Download