Overview

overview

7

Static

static

3

190bae0b18...cs.dll

windows7-x64

7

190bae0b18...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    190bae0b183e13a654588366c5ca07d0_NeikiAnalytics.dll

  • Size

    524KB

  • MD5

    190bae0b183e13a654588366c5ca07d0

  • SHA1

    97b8da075134a7ab61c6c6b50ac357a92a42dad6

  • SHA256

    6e0446640483ca2a1d0d531ed788c251b03fe573b95969bf5b1a60c4759bd0e3

  • SHA512

    1c83c7456932b0b6e701df39d4493b315e0896827a74f942fcd801b883b6991b354bef15e14459bde6fcda9f00b835e88db847696ff5ffece1464b13190070bc

  • SSDEEP

    6144:/i05kH9OyU2uv5SRf/FWgFgtYgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:6rHGPv5SmptFDmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\190bae0b183e13a654588366c5ca07d0_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1664
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2828
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\q3pCM.cmd
      1⤵
        PID:2396
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{f88aa085-2df5-1d76-19b1-e998b140f7f3}"
          2⤵
            PID:2156
        • C:\Windows\system32\TSWbPrxy.exe
          C:\Windows\system32\TSWbPrxy.exe
          1⤵
            PID:564
          • C:\Windows\system32\Utilman.exe
            C:\Windows\system32\Utilman.exe
            1⤵
              PID:1124
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\HnDL6.cmd
              1⤵
              • Drops file in System32 directory
              PID:572
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\tcM5cNu.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:588
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Trqxvscxs" /SC minute /MO 60 /TR "C:\Windows\system32\2517\Utilman.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:2640

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\HnDL6.cmd
              Filesize

              190B

              MD5

              953c419501c7c0c81542111a7bff2702

              SHA1

              29b098d7b6f8566f6a7ed74493a50b855f8bca4a

              SHA256

              072199a04a1bd10862021e9fe90c32e5afc6fbd96e7cb1333a9739473eee8629

              SHA512

              14d69c3813d7cc5c1235be1d4544ec2674931ec04c2047d44391372e4c4e5f140d98f90bf1c4a36da9e9fec2650958b49c1439ce5e047c0c9190eb40d737ed70

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\QsA0D1.tmp
              Filesize

              528KB

              MD5

              991923a382c9fe08517d41cf8bbab05a

              SHA1

              0744bee2942d68dc86a74784c71ad22d326ffa29

              SHA256

              b0db07be931aab049f11b2dea3565fbb550162611743c123d43860ebc97772d2

              SHA512

              952dd5010d83730b0b62041b7307e59785c8de19200c2c033c46d33eb60ae3cdb53cd84c994498fd1779695831321c82bcd69c824d23051d5939d23cbf2a8d34

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\q3pCM.cmd
              Filesize

              233B

              MD5

              ec2383d801f56c8fe4ea761ee6d34d95

              SHA1

              85efc26c0feb910ed34527171d0ce4aa31b27a45

              SHA256

              10fb22d02c568cce8d1e4ccb9cb9a9b514111484e1ce3e4202f846af46cef090

              SHA512

              92a40fc18e82f70082ea9b785bc800e0f89af994114a88e4f4326ab12f21850e3b51d11e223277080f8051836adde0a04c4512e67643aa36b33152ca645d4ddd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tcM5cNu.cmd
              Filesize

              127B

              MD5

              4ef0a794a71b077c80d396c15883e895

              SHA1

              b98a72fad46e8023591fc4edcbe06ceabd0bff32

              SHA256

              708bbebab884cb3f7fe7cffd98749948877561648a8268489ce9473fb39ed9b9

              SHA512

              62de6f7c7eb52f1ea97e533b546f226bde93457b25d8f2a473255216ea44e7525d2c30d2615a50ea997b06da1a158c3116d8b0feae0e73b7519803d4667ae300

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xA44C.tmp
              Filesize

              732KB

              MD5

              f187e40ada53cdfb9e6cf7cd9983cc3a

              SHA1

              347fc758d6e0abfb4399f648d2e33c0ff6d2048f

              SHA256

              933f709685279a93a0812de750321cd8575443f35f0c93f7bedea3d1e4854f7c

              SHA512

              a66295f57f7034b97b93e45dac9243ba5468fcc0f9a9383138927088a602df937b8500626841af0720110b7cc317cb71ab3d9635b605a085d84164400f8273e9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uxhwu.lnk
              Filesize

              894B

              MD5

              f7e910515720ae290c719753bdd71173

              SHA1

              a1a9346ca7a17390bf236c31df30af4efaa8eeec

              SHA256

              5e9e9870971a54ed3a12759356a35ca583227d0575f84f1f0770111e8efea891

              SHA512

              f1c977c8cf3f37d4574c797f6d2dd699e6c41a1e862dbac95725f54bdfa2a5edc85481a38466dc497bdcb2938e34c9237e5376b4709df8cd14bac30f4920f02c

              Download Submit

            • \Users\Admin\AppData\Roaming\TTL4XhD\fvenotify.exe
              Filesize

              117KB

              MD5

              e61d644998e07c02f0999388808ac109

              SHA1

              183130ad81ff4c7997582a484e759bf7769592d6

              SHA256

              15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

              SHA512

              310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

              Download Submit

            • memory/1260-18-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-36-0x0000000077901000-0x0000000077902000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-7-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-27-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-35-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-34-0x0000000002A20000-0x0000000002A27000-memory.dmp

              Filesize

              28KB

              Download

            • memory/1260-26-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-24-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-23-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-22-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-21-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-20-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-19-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-96-0x00000000777F6000-0x00000000777F7000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-17-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-16-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-15-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-10-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-14-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-13-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-12-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-11-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-45-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-50-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-8-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-9-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-25-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-51-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1260-46-0x0000000077A60000-0x0000000077A62000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1260-3-0x00000000777F6000-0x00000000777F7000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1260-4-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1664-6-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download

            • memory/1664-2-0x0000000000090000-0x0000000000097000-memory.dmp

              Filesize

              28KB

              Download

            • memory/1664-0-0x0000000140000000-0x0000000140083000-memory.dmp

              Filesize

              524KB

              Download