Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 16:00
Behavioral task
behavioral1
Sample
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
Resource
win10v2004-20240226-en
4 signatures
150 seconds
General
-
Target
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
-
Size
76KB
-
MD5
6a3cda6d9250fc2f76f9cfdc34ce28d0
-
SHA1
f895459d5442044cfd8a87d7a0aa872a97d5fc73
-
SHA256
797c6fe62d1604c8206760e8c19302c195a1fe46b37bae87eea9c551d3f37db9
-
SHA512
6b0beb5db1c1a4b105e7b55c4df01fe9f25e9f8027cdd5b44c77ada41b3b86869d1f85959bb9b05800a6184f66bf21e64543ad0760d6b3afb3c94dabbe855721
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZdUVr:c8y93KQjy7G55riF1cMo03Er
Score
8/10
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/memory/2988-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2988-1-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2988-2-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2468 2988 WerFault.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2988 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2460 wrote to memory of 2988 2460 rundll32.exe 28 PID 2988 wrote to memory of 2468 2988 rundll32.exe 29 PID 2988 wrote to memory of 2468 2988 rundll32.exe 29 PID 2988 wrote to memory of 2468 2988 rundll32.exe 29 PID 2988 wrote to memory of 2468 2988 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 3403⤵
- Program crash
PID:2468
-
-