92fd5c4a7684b87c475dce2a21514927521446db995b70db5c1a42ad310724d8

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

281c18e8a521294e12700f0d705cc190_NeikiAnalytics.dll
Size

500KB
MD5

281c18e8a521294e12700f0d705cc190
SHA1

f7199b31f54c53f7cadfd8274bfafb84f963659b
SHA256

92fd5c4a7684b87c475dce2a21514927521446db995b70db5c1a42ad310724d8
SHA512

f5b33867bed7c5aac2cda9b2ab3973e1206b35ec905080d0f6a97da05bc7e78f59cd167b3b4c5bd206be3679768fcebda2be12be7136d998809a5e36fa4b42f1
SSDEEP

6144:hi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:krHGPv5SmptZDmUWuVZkxikdXcq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Esxju = "\"C:\\Users\\Admin\\AppData\\Roaming\\1AynlM\\Utilman.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\3908\omadmclient.exe	cmd.exe
File created	C:\Windows\system32\3908\omadmclient.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4880	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\TjAyv6F.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	rundll32.exe
5100	rundll32.exe
5100	rundll32.exe
5100	rundll32.exe
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found
3572	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found
Token: SeShutdownPrivilege	3572	Process not Found
Token: SeCreatePagefilePrivilege	3572	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3572	Process not Found
3572	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3572	Process not Found

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 2784	3572	Process not Found	99
PID 3572 wrote to memory of 2784	3572	Process not Found	99
PID 3572 wrote to memory of 3580	3572	Process not Found	100
PID 3572 wrote to memory of 3580	3572	Process not Found	100
PID 3572 wrote to memory of 216	3572	Process not Found	101
PID 3572 wrote to memory of 216	3572	Process not Found	101
PID 3572 wrote to memory of 1952	3572	Process not Found	133
PID 3572 wrote to memory of 1952	3572	Process not Found	133
PID 3572 wrote to memory of 4212	3572	Process not Found	105
PID 3572 wrote to memory of 4212	3572	Process not Found	105
PID 4212 wrote to memory of 4572	4212	cmd.exe	108
PID 4212 wrote to memory of 4572	4212	cmd.exe	108
PID 3572 wrote to memory of 2076	3572	Process not Found	109
PID 3572 wrote to memory of 2076	3572	Process not Found	109
PID 3572 wrote to memory of 2740	3572	Process not Found	110
PID 3572 wrote to memory of 2740	3572	Process not Found	110
PID 3572 wrote to memory of 3824	3572	Process not Found	111
PID 3572 wrote to memory of 3824	3572	Process not Found	111
PID 3572 wrote to memory of 2292	3572	Process not Found	112
PID 3572 wrote to memory of 2292	3572	Process not Found	112
PID 3572 wrote to memory of 732	3572	Process not Found	113
PID 3572 wrote to memory of 732	3572	Process not Found	113
PID 3572 wrote to memory of 2196	3572	Process not Found	114
PID 3572 wrote to memory of 2196	3572	Process not Found	114
PID 3572 wrote to memory of 3328	3572	Process not Found	115
PID 3572 wrote to memory of 3328	3572	Process not Found	115
PID 3572 wrote to memory of 5108	3572	Process not Found	116
PID 3572 wrote to memory of 5108	3572	Process not Found	116
PID 3572 wrote to memory of 1276	3572	Process not Found	117
PID 3572 wrote to memory of 1276	3572	Process not Found	117
PID 3572 wrote to memory of 2764	3572	Process not Found	118
PID 3572 wrote to memory of 2764	3572	Process not Found	118
PID 3572 wrote to memory of 2300	3572	Process not Found	119
PID 3572 wrote to memory of 2300	3572	Process not Found	119
PID 3572 wrote to memory of 1144	3572	Process not Found	120
PID 3572 wrote to memory of 1144	3572	Process not Found	120
PID 3572 wrote to memory of 468	3572	Process not Found	121
PID 3572 wrote to memory of 468	3572	Process not Found	121
PID 3572 wrote to memory of 4856	3572	Process not Found	122
PID 3572 wrote to memory of 4856	3572	Process not Found	122
PID 3572 wrote to memory of 4116	3572	Process not Found	123
PID 3572 wrote to memory of 4116	3572	Process not Found	123
PID 3572 wrote to memory of 2388	3572	Process not Found	124
PID 3572 wrote to memory of 2388	3572	Process not Found	124
PID 3572 wrote to memory of 1948	3572	Process not Found	126
PID 3572 wrote to memory of 1948	3572	Process not Found	126
PID 1948 wrote to memory of 3564	1948	fodhelper.exe	127
PID 1948 wrote to memory of 3564	1948	fodhelper.exe	127
PID 3564 wrote to memory of 4880	3564	cmd.exe	129
PID 3564 wrote to memory of 4880	3564	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\281c18e8a521294e12700f0d705cc190_NeikiAnalytics.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\system32\fixmapi.exe
C:\Windows\system32\fixmapi.exe
1⤵
PID:2784

C:\Windows\system32\RemotePosWorker.exe
C:\Windows\system32\RemotePosWorker.exe
1⤵
PID:3580

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UQ4.cmd
1⤵
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6fbc9e50-6a1b-17d9-5db5-133f618c672e}"
  2⤵
  PID:4572

C:\Windows\system32\xwizard.exe
C:\Windows\system32\xwizard.exe
1⤵
PID:2076

C:\Windows\system32\AppVShNotify.exe
C:\Windows\system32\AppVShNotify.exe
1⤵
PID:2740

C:\Windows\system32\wsmprovhost.exe
C:\Windows\system32\wsmprovhost.exe
1⤵
PID:3824

C:\Windows\system32\cleanmgr.exe
C:\Windows\system32\cleanmgr.exe
1⤵
PID:2292

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
1⤵
PID:732

C:\Windows\system32\wiawow64.exe
C:\Windows\system32\wiawow64.exe
1⤵
PID:2196

C:\Windows\system32\CompPkgSrv.exe
C:\Windows\system32\CompPkgSrv.exe
1⤵
PID:3328

C:\Windows\system32\audiodg.exe
C:\Windows\system32\audiodg.exe
1⤵
PID:5108

C:\Windows\system32\DTUHandler.exe
C:\Windows\system32\DTUHandler.exe
1⤵
PID:1276

C:\Windows\system32\PkgMgr.exe
C:\Windows\system32\PkgMgr.exe
1⤵
PID:2764

C:\Windows\system32\DeviceCensus.exe
C:\Windows\system32\DeviceCensus.exe
1⤵
PID:2300

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:1144

C:\Windows\system32\omadmprc.exe
C:\Windows\system32\omadmprc.exe
1⤵
PID:468

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
1⤵
PID:4856

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vIj.cmd
1⤵
- Drops file in System32 directory
PID:2388

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\TjAyv6F.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Lgeeulo" /SC minute /MO 60 /TR "C:\Windows\system32\3908\omadmclient.exe" /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3924,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
1⤵
PID:992

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AZF6D3.tmp

Filesize
504KB

MD5
8794fb567bae1a86cacc94ca0a67bb15

SHA1
3f9ede9c80a713d7e0eb9e648169b7c7a78cde2e

SHA256
a22b26b7040fdcefd6af37e7dd77d852a35f50460e6c53c0b8d253d89cdd357e

SHA512
6782cc4f74d81b8b8551a968269a96ce3fb5a97f71bff9924cec5627d3c8b64dfb5153a23d3c1accb93b176879b8dc349010428a873947053a2daba190dd6188

Download Submit
C:\Users\Admin\AppData\Local\Temp\TjAyv6F.cmd

Filesize
129B

MD5
2a08edb3047cf2332658dc1c7bcc854b

SHA1
4430463d10564be7b536749f873251ab39bdf65c

SHA256
3d52e91669fd973949b50325fec67bdaed71012e5876c2ef428b2e28762d1c7a

SHA512
ba82975443169b7e5be14ac17aabd495bd56d93d847374f594525496607b9ff39da06e9819d4a2cdc6c773e4612964b345db2c385d90a3f5b891f415bf8892ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4.cmd

Filesize
231B

MD5
0b0d210162ae23653b743294f0b48c66

SHA1
fd0fda432122d397d968a40059860936a43ace3c

SHA256
eb1070c6cb3834fefceeddbe312b4852bfdcf7099568be161cc56985afa2860c

SHA512
9bbeb01998855fbcab9f606aca3c8852181ca5fa15e9d6b697bf9b3859629fb020fa7e1c16fa99a9bbf23e95313cd35cf2982301bfa073e3118f65697ec957dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0tF7CE.tmp

Filesize
504KB

MD5
4590c2d075437c9349d004156e1b516f

SHA1
62a0035f518da6f754f4ca7aa1820dcd1829eea9

SHA256
519ea94700fbf2c6147552e353dc0db00db75905f5ff5b4929f9a998c080b1b6

SHA512
3695334e820ca1dbe70c6c23ae93a1600ac735625636aab5975a887ac485ce76817945b8867615706dc652870e00ce5f0fcc313e1d97576667895c3db080763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIj.cmd

Filesize
198B

MD5
c6f69350ab1bdaa763c792b8cbdff085

SHA1
16826ae62ebb1834acba3e99c77b4aecde2e2858

SHA256
6c037a91fe2cf35ac93a4ba1fd709841d9c506d0db33956c60d91f753d068bf2

SHA512
f630921ad29decc71cb13ed4e2656083be0bf4649bc926693814b561e2179ec81e56af6e41ec32d710c404e322e07fdc85bf37db344f85bbd9c3931f67a52f04

Download Submit
C:\Users\Admin\AppData\Roaming\1AynlM\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Esxju.lnk

Filesize
908B

MD5
c25088a7e9530a864287bf0dd21035bb

SHA1
b6c2e8b229196aa8c0e7cedb8371bfb618b31dbf

SHA256
653db550d632fb95a08e5d17c1dc0822b6b1b874881f34e876cd15e05a53be0b

SHA512
c6a78dbab78145fba25ad80489e3933b7dad0079c7c2b300cbaf3d33886155b119c0cba24c0fdfa7effe7f651b91debb2bac063eeade48edd1b73b8cade707e0

Download Submit
memory/3572-18-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-14-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-43-0x0000000002EC0000-0x0000000002EC7000-memory.dmp

Filesize
28KB

Download
memory/3572-27-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-25-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-24-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-23-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-22-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-21-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-46-0x00007FFA4E280000-0x00007FFA4E290000-memory.dmp

Filesize
64KB

Download
memory/3572-19-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-5-0x00007FFA4D2BA000-0x00007FFA4D2BB000-memory.dmp

Filesize
4KB

Download
memory/3572-17-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-16-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-15-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-44-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-13-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-12-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-11-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-10-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-9-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-8-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-7-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-34-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-55-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-26-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-20-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/3572-3-0x00000000086D0000-0x00000000086D1000-memory.dmp

Filesize
4KB

Download
memory/5100-6-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/5100-0-0x0000000140000000-0x000000014007D000-memory.dmp

Filesize
500KB

Download
memory/5100-2-0x000001F813B10000-0x000001F813B17000-memory.dmp

Filesize
28KB

Download