cf056eef42c6c29e6f04e592c0a01fd04224e19dc2e3920e6631d7b1061d74a4

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8e5a3af4ea20df121c53aef8131e60_NeikiAnalytics.dll
Size

472KB
MD5

4a8e5a3af4ea20df121c53aef8131e60
SHA1

95052233e658df40c50e241bdb8bc0af96964642
SHA256

cf056eef42c6c29e6f04e592c0a01fd04224e19dc2e3920e6631d7b1061d74a4
SHA512

955dd4091944792842f51de3006f9313e2e4a740fd71db28f169b87c7144876246255d293c0b2fc70a1c605710d1f94a2fec1ff3e17ca0dc86ae6446ee93ba1a
SSDEEP

6144:4i05kH9OyU2uv5SRf/FWgFgtH+gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukE:LrHGPv5SmptHDDmUWuVZkxikdXcq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ihmks = "\"C:\\Users\\Admin\\AppData\\Roaming\\bNoDvW\\quickassist.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\8619\dxgiadaptercache.exe	cmd.exe
File opened for modification	C:\Windows\system32\8619\dxgiadaptercache.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1084	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\OIN.cmd"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\ms-settings	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
1032	rundll32.exe
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3408	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3868	3408	Process not Found	88
PID 3408 wrote to memory of 3868	3408	Process not Found	88
PID 3408 wrote to memory of 3468	3408	Process not Found	89
PID 3408 wrote to memory of 3468	3408	Process not Found	89
PID 3408 wrote to memory of 5000	3408	Process not Found	90
PID 3408 wrote to memory of 5000	3408	Process not Found	90
PID 3408 wrote to memory of 4464	3408	Process not Found	91
PID 3408 wrote to memory of 4464	3408	Process not Found	91
PID 3408 wrote to memory of 828	3408	Process not Found	92
PID 3408 wrote to memory of 828	3408	Process not Found	92
PID 3408 wrote to memory of 4004	3408	Process not Found	94
PID 3408 wrote to memory of 4004	3408	Process not Found	94
PID 4004 wrote to memory of 4532	4004	cmd.exe	96
PID 4004 wrote to memory of 4532	4004	cmd.exe	96
PID 3408 wrote to memory of 1008	3408	Process not Found	97
PID 3408 wrote to memory of 1008	3408	Process not Found	97
PID 3408 wrote to memory of 4828	3408	Process not Found	98
PID 3408 wrote to memory of 4828	3408	Process not Found	98
PID 3408 wrote to memory of 4552	3408	Process not Found	100
PID 3408 wrote to memory of 4552	3408	Process not Found	100
PID 4552 wrote to memory of 4008	4552	fodhelper.exe	101
PID 4552 wrote to memory of 4008	4552	fodhelper.exe	101
PID 4008 wrote to memory of 1084	4008	cmd.exe	103
PID 4008 wrote to memory of 1084	4008	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a8e5a3af4ea20df121c53aef8131e60_NeikiAnalytics.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Windows\system32\AppHostRegistrationVerifier.exe
C:\Windows\system32\AppHostRegistrationVerifier.exe
1⤵
PID:3868

C:\Windows\system32\DataExchangeHost.exe
C:\Windows\system32\DataExchangeHost.exe
1⤵
PID:3468

C:\Windows\system32\RemotePosWorker.exe
C:\Windows\system32\RemotePosWorker.exe
1⤵
PID:5000

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:4464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NgQHVtz.cmd
1⤵
PID:828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{c8fa0120-b654-32d4-0e47-613d2c4281e9}"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{c8fa0120-b654-32d4-0e47-613d2c4281e9}"
  2⤵
  PID:4532

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\REFgl.cmd
1⤵
- Drops file in System32 directory
PID:4828

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\OIN.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Arqdxytqgr" /SC minute /MO 60 /TR "C:\Windows\system32\8619\dxgiadaptercache.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1jN4806.tmp

Filesize
476KB

MD5
553058ed9c9a8ec828bb4326de16d121

SHA1
673b358279b38adbdc5415c41fc37a8b12f41985

SHA256
2e6463e2d2fc455049a30066ccebd59eb737ce43dfd51815eb07ecad238b8dc5

SHA512
9aa695a5a00555032989f143f192738f3297d722c3d0c204b10b1eb815978a4cdb2cc3c12bd382fc84944143e67042a4dae75bf0e4c07fdbc9672f1ee2d63a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\745D3.tmp

Filesize
476KB

MD5
9775be1278f63e7c02b5d273b1a6a256

SHA1
e2125b8a4ff0c5d0db382d2e8ab39045056142ee

SHA256
e15eafaab00a10c9cb214c6d3eaba830b5af0332c41cf45994008f46a4e5ab48

SHA512
1aef4da8f0fadad5427e462101110548ab52264f0aa3ef94d146e4d8f0f7915ff593a2ae7929196e4e736e8f8d1fbe0b267ef87494af94c5ba3d3d189ef57741

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgQHVtz.cmd

Filesize
235B

MD5
d7041c194caa607e0eba6d8354674cbd

SHA1
7eeb94e486fc7aa831531409c2c45af8f9077662

SHA256
952089be9491565a4c8b3c5aaf7311c8c2999b0615c36c41e868bbb93e301409

SHA512
eae8e470fb867423f904a2f5f6dd930b780b49191d7dfd0e9aa3517ab882b0a7db7b5f30d8f911eefb6698df37f259dd05da16ca375e9c16723bac40006cc15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OIN.cmd

Filesize
137B

MD5
54b51e509f4cec9fb727c778a9714f02

SHA1
1e29748712c91e5238c09fb659c6352735f88552

SHA256
2d6f83ed49170a36f11328327b05e5ff0fb56c3e4bf958ec9e0d5479cba808b3

SHA512
c4cd9f7cd32917ecec2e8ef30aca812c41e376fc46ba00549ebfc9bb4480261d865dfb1e94cbc50f93e23f79ea0fe044d68fefb05a35c51ed68c8f524936ce35

Download Submit
C:\Users\Admin\AppData\Local\Temp\REFgl.cmd

Filesize
200B

MD5
eb22012ff44002baba2f977d9260b34b

SHA1
0d9ebd418a00a497c0f47efafebfdaf4911bfa5c

SHA256
414e2e7016a94cb151ac8ffead6a25805412e4feac9b84d1aa39ae196ede3382

SHA512
5a6f990293693f70fedb5ef75f2b8e57025abe76063168f76282257cf50dfaedb4477eda86e8ad5d0975d2b060ea958fef7159d4e7329d7dd7cee1b3ff4c6e8a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ihmks.lnk

Filesize
924B

MD5
e99eacac38ad5da4344b9c1b5b478fe2

SHA1
883fdb01a5bd0314c00586dcaaa974fd63c95199

SHA256
9997c2cb3e56d065290a2bb23cfb9ed96452a23cb53a90243d5682f5b79d929e

SHA512
38a8a26e1b9500c10b67abe47daed3ad8331e31945b7553d50b4c7c88886236daa6b654b9810269ba690e63fea47476c6f60e6584e4fa93e6d5ea2757e817b2b

Download Submit
C:\Users\Admin\AppData\Roaming\bNoDvW\quickassist.exe

Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
memory/1032-0-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/1032-2-0x000001C093980000-0x000001C093987000-memory.dmp

Filesize
28KB

Download
memory/1032-6-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-17-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-8-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-19-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-18-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-38-0x0000000000930000-0x0000000000937000-memory.dmp

Filesize
28KB

Download
memory/3408-16-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-15-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-14-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-11-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-10-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-9-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-36-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-7-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-39-0x00007FFEFAF20000-0x00007FFEFAF30000-memory.dmp

Filesize
64KB

Download
memory/3408-27-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-20-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-48-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-13-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-12-0x0000000140000000-0x0000000140076000-memory.dmp

Filesize
472KB

Download
memory/3408-5-0x00007FFEF926A000-0x00007FFEF926B000-memory.dmp

Filesize
4KB

Download
memory/3408-3-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download