92fd5c4a7684b87c475dce2a21514927521446db995b70db5c1a42ad310724d8

General

Target

281c18e8a521294e12700f0d705cc190_NeikiAnalytics.dll
Size

500KB
MD5

281c18e8a521294e12700f0d705cc190
SHA1

f7199b31f54c53f7cadfd8274bfafb84f963659b
SHA256

92fd5c4a7684b87c475dce2a21514927521446db995b70db5c1a42ad310724d8
SHA512

f5b33867bed7c5aac2cda9b2ab3973e1206b35ec905080d0f6a97da05bc7e78f59cd167b3b4c5bd206be3679768fcebda2be12be7136d998809a5e36fa4b42f1
SSDEEP

6144:hi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:krHGPv5SmptZDmUWuVZkxikdXcq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1144	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "\"C:\\Users\\Admin\\AppData\\Roaming\\05Upo\\Magnify.exe\""	Process not Found

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2440	rundll32.exe
2440	rundll32.exe
1144	Process not Found
1144	Process not Found

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2396	1144	Process not Found	28
PID 1144 wrote to memory of 2396	1144	Process not Found	28
PID 1144 wrote to memory of 2396	1144	Process not Found	28
PID 1144 wrote to memory of 2612	1144	Process not Found	29
PID 1144 wrote to memory of 2612	1144	Process not Found	29
PID 1144 wrote to memory of 2612	1144	Process not Found	29
PID 1144 wrote to memory of 2532	1144	Process not Found	30
PID 1144 wrote to memory of 2532	1144	Process not Found	30
PID 1144 wrote to memory of 2532	1144	Process not Found	30
PID 1144 wrote to memory of 2356	1144	Process not Found	31
PID 1144 wrote to memory of 2356	1144	Process not Found	31
PID 1144 wrote to memory of 2356	1144	Process not Found	31
PID 1144 wrote to memory of 2432	1144	Process not Found	32
PID 1144 wrote to memory of 2432	1144	Process not Found	32
PID 1144 wrote to memory of 2432	1144	Process not Found	32
PID 1144 wrote to memory of 1188	1144	Process not Found	34
PID 1144 wrote to memory of 1188	1144	Process not Found	34
PID 1144 wrote to memory of 1188	1144	Process not Found	34
PID 1188 wrote to memory of 1280	1188	cmd.exe	36
PID 1188 wrote to memory of 1280	1188	cmd.exe	36
PID 1188 wrote to memory of 1280	1188	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\281c18e8a521294e12700f0d705cc190_NeikiAnalytics.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Windows\system32\colorcpl.exe
C:\Windows\system32\colorcpl.exe
1⤵
PID:2396

C:\Windows\system32\systray.exe
C:\Windows\system32\systray.exe
1⤵
PID:2612

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
1⤵
PID:2532

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:2356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\CEZ.cmd
1⤵
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{0f3f26ce-e23a-888f-036b-ddb6939885d4}"
  2⤵
  PID:1280

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0ug.cmd
1⤵
PID:2412

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
PID:2676
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2gYol5d.cmd
  2⤵
  PID:2700
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Lizdxxpaecrde" /SC minute /MO 60 /TR "C:\Windows\system32\2071\wscript.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ug.cmd

Filesize
193B

MD5
94f2b46088819ff6c544db35e20bc926

SHA1
d288e3f2319e22631012617f0fc22741361d98b4

SHA256
f669c4cd5016d9d18374ca4cba9f1e3e570ec73e6037ba51064fe34e7cb9cf5f

SHA512
4489c304258de5b2ec9eff6edbd79cf1d75071626b3419d12afe961332c050922640783a38ccc9457fcbbe24b094848c9b9a3d9af717ed17406034b3f1fde1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gYol5d.cmd

Filesize
131B

MD5
618c51dd7db5f9a0acae9fe9cd96d901

SHA1
5608a02086ab2aaa9164675c3aff23e7c77e8576

SHA256
7894917796cececdd5d571123c928cb848705ec33005f041650fdb7d3e8599d3

SHA512
0b2055ebdc7b6671bf451c2fa5733caa1054d1c33da9812341a1dd3395db643c7200eec2c52693700b238a2bed46434cda704405ebbee30439913730fd2773da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEZ.cmd

Filesize
234B

MD5
69813d45dbf0bea2da8432c887f3001a

SHA1
8d707f2e031f9812c1c9a4201ca8ca5b496fa5d0

SHA256
3ac8eb18832dddafa7b8df92cb9d4727a9c84c21bd4b60644e585f25a35d39dc

SHA512
5fe299b19d5b54fd26151e05835ebbb735ce20c41c9018ccf76b0fa4e5d7adc5ba043e640a83dad55c6ffcc1239ca406f1e3eef66505d6ce93db1538406a1177

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2359.tmp

Filesize
504KB

MD5
252ec940db612ab6a9c082ce7580fa94

SHA1
226a35322ef892978bdded412567eac92b4f914c

SHA256
4301ee67453e0d164fef3faa2c2166bff7307479c8c39e46a8d637e4348ab977

SHA512
6067f7e4438ce1711730554f8e993877f3b2725633fd4681e4c2963069c8c42a58f9c4bfbb7d3135059371980aed75bc0d93c4b715fce6b36acd12a1a07e14d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mE23A8.tmp

Filesize
504KB

MD5
1008e1f73d4439836106ee8ad28b203f

SHA1
66845d9fce034558766649367bf715b5ab17c697

SHA256
085c71f922d9fa9267bfecab47cd734e312ef75ed946bb6873eae6e99bc093cb

SHA512
8d7ea4914ac2759b95fc746a44f8a56435e015a6da952127af0508e726988ebf4af81ea1bd7b40a14991db256031bc01cbcac61902e53887d7a6bede80026f90

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Javhf.lnk

Filesize
878B

MD5
daad724b9a484921bd4dd948518cfffe

SHA1
ae2e01041fdbd06d2fb019decce9b12a0d31e0e0

SHA256
05abf2b3a2ad59261f89c2ced423f69658f4381ddce39a989711e13f825150eb

SHA512
5a43ad5a81a31e88064db98715b16070756646b8bc9c0cd86c0eaa09d6bf46701aa30b7d9124fd2d6b365d7813676325c1a9c3eede856c377785c23e9920978c

Download Submit
\Users\Admin\AppData\Roaming\05Upo\Magnify.exe

Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
memory/1144-26-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-22-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-35-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-38-0x0000000077321000-0x0000000077322000-memory.dmp

Filesize
4KB

Download
memory/1144-18-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-100-0x0000000077116000-0x0000000077117000-memory.dmp

Filesize
4KB

Download
memory/1144-4-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1144-3-0x0000000077116000-0x0000000077117000-memory.dmp

Filesize
4KB

Download
memory/1144-50-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-49-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-47-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/1144-45-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-27-0x0000000002140000-0x0000000002147000-memory.dmp

Filesize
28KB

Download
memory/1144-7-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-25-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-24-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-23-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-28-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-21-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-20-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-19-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-17-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-16-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-15-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-14-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-13-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-12-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-11-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-10-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-9-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/1144-8-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/2440-0-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/2440-2-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/2440-6-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads