Overview

overview

7

Static

static

3

06038fedf2...cs.dll

windows7-x64

7

06038fedf2...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 21:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    06038fedf29979d267f9663315865c20_NeikiAnalytics.dll

  • Size

    496KB

  • MD5

    06038fedf29979d267f9663315865c20

  • SHA1

    c7b03dc841966e43a4d788848412c3e39cd42033

  • SHA256

    13c23529ee4ebea3fef8f77517e07c7d8392729e48b72fb289b241113763c9f0

  • SHA512

    e24f3f831f9a40d598c9272b5e383a286f4bff57b4b359177030f7017f6fac9b2561de98cb8129a982748d07a98f687137cd2ab45c21357cb4bddc978f945465

  • SSDEEP

    6144:ui05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTg:BrHGPv5Smpt6DmUWuVZkxikdXcq

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06038fedf29979d267f9663315865c20_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1424
  • C:\Windows\system32\wsmprovhost.exe
    C:\Windows\system32\wsmprovhost.exe
    1⤵
      PID:2728
    • C:\Windows\system32\VSSVC.exe
      C:\Windows\system32\VSSVC.exe
      1⤵
        PID:2832
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\B0C.cmd
        1⤵
          PID:2196
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6a238b75-ab6b-0508-5bd0-5c205cafaf63}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{6a238b75-ab6b-0508-5bd0-5c205cafaf63}"
            2⤵
              PID:2184
          • C:\Windows\system32\rrinstaller.exe
            C:\Windows\system32\rrinstaller.exe
            1⤵
              PID:2332
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QLylw.cmd
              1⤵
              • Drops file in System32 directory
              PID:1904
            • C:\Windows\System32\eventvwr.exe
              "C:\Windows\System32\eventvwr.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\hTbdi.cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2780
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Create /F /TN "Hplnwst" /SC minute /MO 60 /TR "C:\Windows\system32\5023\rrinstaller.exe" /RL highest
                  3⤵
                  • Creates scheduled task(s)
                  PID:2856

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\25E2A2D.tmp
                    Filesize

                    504KB

                    MD5

                    baa3f524475218894bafc5013c3bbdf4

                    SHA1

                    612380c3e22146f052482dbf7d56f499f7fa2958

                    SHA256

                    120a71dc02c8dc8407364a44ec6ef546dd41209cd7aeb324321e6f93c6b029d0

                    SHA512

                    aa1bd3b9d1309fab6e6c3f1ca247c4e7ec61910c98909b8021806e7311e60800b804dbd740038926e6d48a871126d75d899febbfc7f18da0115d17cdd75e4157

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\B0C.cmd
                    Filesize

                    224B

                    MD5

                    5b5fa812a6d447b3d77b97f8e943d17c

                    SHA1

                    800fed7b88b61214fe881561431fbe4134a771b1

                    SHA256

                    fb677b31a19804e74cc11944d0669bc8f1b69e4eb4d8a99810bda20a8c3fccbe

                    SHA512

                    cd370b4aff12b011a0c711a096aa673861fa2957568b00ff550af82a3b015e55ac542953b9b949cc323954595b4cfec119527965847366cda730532b6614bf33

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\QLylw.cmd
                    Filesize

                    197B

                    MD5

                    4c61c1823508360942f0ff5841d68515

                    SHA1

                    80d2f7c478909f5ba40157b4a9f9f5d839a3d174

                    SHA256

                    4b31c556ca83bd31f55ce164652ed43e23abc4b22695e32348fe0d79c4609057

                    SHA512

                    b26ed2d8f03ac572b1b190a959657d8b0f5c6815c6aead6f245251134ca2f0dfc47b0e8f72c03e1652f26352c16e9ac62eb1ef4d4440f201292e282e9d773f57

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\T8D27FA.tmp
                    Filesize

                    500KB

                    MD5

                    b4b5c0ec47711c2448ea920b8d93019e

                    SHA1

                    744b5ae770b9e43b0ea8efdcca4f1ccd7cad6b35

                    SHA256

                    011924f11144fccdcc7f26a8ea35600b27aa94714780eb9b43d46b1c38bb6a39

                    SHA512

                    34ae369d58d41f2bff257a0411c3d0dde36da6c11db14461733f0a81e0e36334bf9a9818b04a2e7923b6a1a9e0af08468a0989cd04c655f2c4c42f2d1fe72da3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\hTbdi.cmd
                    Filesize

                    129B

                    MD5

                    28de8a6a241e5f4dd1c12bed2b2d909d

                    SHA1

                    9d237dffdd94c15791b9f3a943e7f510bd086867

                    SHA256

                    d29c39eabca8a3d8153fc44d9a2d4851d03403f05ea8a23e6e988c49304629c3

                    SHA512

                    ca7c36df4aa72c075c414bdb30ec4e6db0e4e0b9c6d0bbad5171da3452fdcc5b1a22f95c48db6cfd2609086c189f09296b6b3fb6c75608730d39ba497ea003b0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gdussggr.lnk
                    Filesize

                    864B

                    MD5

                    e0d47cc9af5e2bafa92a52bf90e267d3

                    SHA1

                    ec4e82d4e5660b186696a7a19b97260fce3f3a42

                    SHA256

                    d3eac766d80ed356c06fc427aa177e867d5511bca5f8566650a48e09506e8730

                    SHA512

                    f11a73ff364d2566315bcaafc47c6846783db2c3c20ebc7373c011b94e614e82a01707c3a3d68dfdaf98ef80a143369a334b0284dabe364472a9c7f3d01292ab

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\yhnQN\VSSVC.exe
                    Filesize

                    1.5MB

                    MD5

                    b60ba0bc31b0cb414593e169f6f21cc2

                    SHA1

                    1d6f5a5de7154b75144c6a033c36fd86ff2bbe9b

                    SHA256

                    47b801e623254cf0202b3591cb5c019cabfb52f123c7d47e29d19b32f1f2b915

                    SHA512

                    1c194674435e3a9ae7eb3475f6f3d4a82eddd04d3d06a2b1858edfe9830a989cbd474395f700bc7a68870f685c431304cf3a67f31169ef699fb575a831b49531

                    Download Submit

                  • memory/1208-15-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-11-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-33-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-26-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-25-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-24-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-23-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-22-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-21-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-19-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-18-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-17-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-16-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-98-0x0000000077A36000-0x0000000077A37000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1208-14-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-13-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-12-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-34-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1208-10-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-9-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-35-0x0000000077C41000-0x0000000077C42000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1208-44-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-46-0x0000000077DA0000-0x0000000077DA2000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1208-50-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-51-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-20-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-7-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-8-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1208-3-0x0000000077A36000-0x0000000077A37000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1208-4-0x0000000002D10000-0x0000000002D11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1424-6-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download

                  • memory/1424-2-0x0000000001D50000-0x0000000001D57000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1424-0-0x0000000140000000-0x000000014007C000-memory.dmp

                    Filesize

                    496KB

                    Download