Overview

overview

7

Static

static

3

4a8e5a3af4...cs.dll

windows7-x64

7

4a8e5a3af4...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/06/2024, 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a8e5a3af4ea20df121c53aef8131e60_NeikiAnalytics.dll

  • Size

    472KB

  • MD5

    4a8e5a3af4ea20df121c53aef8131e60

  • SHA1

    95052233e658df40c50e241bdb8bc0af96964642

  • SHA256

    cf056eef42c6c29e6f04e592c0a01fd04224e19dc2e3920e6631d7b1061d74a4

  • SHA512

    955dd4091944792842f51de3006f9313e2e4a740fd71db28f169b87c7144876246255d293c0b2fc70a1c605710d1f94a2fec1ff3e17ca0dc86ae6446ee93ba1a

  • SSDEEP

    6144:4i05kH9OyU2uv5SRf/FWgFgtH+gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukE:LrHGPv5SmptHDDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a8e5a3af4ea20df121c53aef8131e60_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2232
  • C:\Windows\system32\fontview.exe
    C:\Windows\system32\fontview.exe
    1⤵
      PID:2448
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:2612
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HXRejNk.cmd
        1⤵
          PID:2852
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2804
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"
            2⤵
              PID:2996
          • C:\Windows\system32\TSWbPrxy.exe
            C:\Windows\system32\TSWbPrxy.exe
            1⤵
              PID:2176
            • C:\Windows\system32\ucsvc.exe
              C:\Windows\system32\ucsvc.exe
              1⤵
                PID:2848
              • C:\Windows\system32\TpmInit.exe
                C:\Windows\system32\TpmInit.exe
                1⤵
                  PID:1236
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1x9c.cmd
                  1⤵
                  • Drops file in System32 directory
                  PID:528
                • C:\Windows\System32\eventvwr.exe
                  "C:\Windows\System32\eventvwr.exe"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1372
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\IqH.cmd
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2188
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Create /F /TN "Trqxvscxs" /SC minute /MO 60 /TR "C:\Windows\system32\9215\TpmInit.exe" /RL highest
                      3⤵
                      • Creates scheduled task(s)
                      PID:2668

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\1x9c.cmd
                  Filesize

                  192B

                  MD5

                  f67a67ba5f89c249c01c19eec83fc1eb

                  SHA1

                  09d6bbc0bb8afff6b71a6a80850ef5e4478617a0

                  SHA256

                  09e2e7a891d7ae077a78125191ae7f8efac7e2488c987bc7b4328e29f39a49df

                  SHA512

                  6f5d0014e11b4ae142b8245afd5ae806a953f646a6c6d86f845cd65cd6fd102a2ae3a6cb7f0a04d9b186d370a2de93da5955be9264a32ca5f869ec73ddfe4dba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\HXRejNk.cmd
                  Filesize

                  229B

                  MD5

                  651bdfab43914ac76fc873966fe20594

                  SHA1

                  f449ed87cd413402f43be13aa16742bac3719c41

                  SHA256

                  ae39f2ba9713e184b1e248bec3fafc4010092ff00c8706cbf39d56869233bda3

                  SHA512

                  a4639198d79bd8a5931b4c5c2d1def9f5ed7406377a06b5fd9b75143d75e2caec813c9ab739b5085cc720ac2c76a227ab3f5e871af5ebe50e4b7f0bb3a3a598e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IqH.cmd
                  Filesize

                  127B

                  MD5

                  1c6c7eabe7bc6a9ce7b69db162ef9513

                  SHA1

                  cb9c7a7d329f76bc2b47a5065fd168ff0b458e2c

                  SHA256

                  2d1d6fe7555768fad38594ae4f7c74b9670f58c311ea431e3ab906928976d6eb

                  SHA512

                  79b79a1e17eef1df40d5a772a09900143363e59214892c49856a24d7a5821fcc70e77d67c5796e00dbe82f8982c6b57831bd7d4555e7326ac61840a5c2ec0800

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\LzH9E33.tmp
                  Filesize

                  476KB

                  MD5

                  069d9fe10066bcbf4497733f1a1da6a0

                  SHA1

                  a4825345cdeee39b0984e0a230e3b003e0c6d4a6

                  SHA256

                  16c71b8fd3d54aebb550258f27fef6f31f1295108638a4903156482e841d94eb

                  SHA512

                  8ecacc06f684ceae00335d22bbd4720876fe6574b2bdb728f16b4a29289b22e2bd62fae36be98efa01fc427e27dfa353b92aeac93b3b38bffcf4499dd46bbe2b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\xA056.tmp
                  Filesize

                  476KB

                  MD5

                  2014d0080db56ba5e6ad222195e75a06

                  SHA1

                  064319a79a688b07ee3b4fa87afeaaa987ceb592

                  SHA256

                  9190d264dd41b95e24065f1d0ecc7da41e45c8c8b36e4e1040ce756e21920c38

                  SHA512

                  2358f85b212ca10e81974e80d347f0f1535f98eb5c1fdeed9837386d3eb3e816296c61ee39764f57cf795ceb97294eca73db5307ea96d2a106fef02b61c900ec

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\3Mx1X\sdclt.exe
                  Filesize

                  1.2MB

                  MD5

                  cdebd55ffbda3889aa2a8ce52b9dc097

                  SHA1

                  4b3cbfff5e57fa0cb058e93e445e3851063646cf

                  SHA256

                  61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

                  SHA512

                  2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uxhwu.lnk
                  Filesize

                  864B

                  MD5

                  44581b5922f0a825a9fd1e8b6eec4dad

                  SHA1

                  d43de84542a356ef3422290e789ae8a343b6ce6f

                  SHA256

                  405ae3ecf65ab8532f909e81415210b837fa4bc9dde3568d8039db3042355569

                  SHA512

                  2fb7057d1e3beb84c0ccda106ba4cae34c111e52e47b8e5c8648f986cd5c9cab2698f5d6ebfb6d9f55ced51b19c074a4f02f839f79bea5c0fb6a56669478e9cf

                  Download Submit

                • memory/1408-13-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-28-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-20-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-19-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-18-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-17-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-16-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-15-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-14-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-91-0x00000000772E6000-0x00000000772E7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1408-12-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-11-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-9-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-27-0x0000000002550000-0x0000000002557000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1408-29-0x00000000773F1000-0x00000000773F2000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1408-38-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-39-0x0000000077550000-0x0000000077552000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1408-44-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-10-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-8-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-7-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1408-3-0x00000000772E6000-0x00000000772E7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1408-4-0x0000000002570000-0x0000000002571000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2232-6-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2232-0-0x0000000140000000-0x0000000140076000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/2232-2-0x00000000003E0000-0x00000000003E7000-memory.dmp

                  Filesize

                  28KB

                  Download