Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 16:00
Behavioral task
behavioral1
Sample
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
Resource
win7-20240221-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
Resource
win10v2004-20240226-en
4 signatures
150 seconds
General
-
Target
6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll
-
Size
76KB
-
MD5
6a3cda6d9250fc2f76f9cfdc34ce28d0
-
SHA1
f895459d5442044cfd8a87d7a0aa872a97d5fc73
-
SHA256
797c6fe62d1604c8206760e8c19302c195a1fe46b37bae87eea9c551d3f37db9
-
SHA512
6b0beb5db1c1a4b105e7b55c4df01fe9f25e9f8027cdd5b44c77ada41b3b86869d1f85959bb9b05800a6184f66bf21e64543ad0760d6b3afb3c94dabbe855721
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZdUVr:c8y93KQjy7G55riF1cMo03Er
Score
7/10
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2636-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/2636-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 3764 2636 WerFault.exe 90 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 648 wrote to memory of 2636 648 rundll32.exe 90 PID 648 wrote to memory of 2636 648 rundll32.exe 90 PID 648 wrote to memory of 2636 648 rundll32.exe 90
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3cda6d9250fc2f76f9cfdc34ce28d0_NeikiAnalytics.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 6963⤵
- Program crash
PID:3764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 26361⤵PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:4420