Overview

overview

7

Static

static

3

06038fedf2...cs.dll

windows7-x64

7

06038fedf2...cs.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06038fedf29979d267f9663315865c20_NeikiAnalytics.dll

  • Size

    496KB

  • MD5

    06038fedf29979d267f9663315865c20

  • SHA1

    c7b03dc841966e43a4d788848412c3e39cd42033

  • SHA256

    13c23529ee4ebea3fef8f77517e07c7d8392729e48b72fb289b241113763c9f0

  • SHA512

    e24f3f831f9a40d598c9272b5e383a286f4bff57b4b359177030f7017f6fac9b2561de98cb8129a982748d07a98f687137cd2ab45c21357cb4bddc978f945465

  • SSDEEP

    6144:ui05kH9OyU2uv5SRf/FWgFgtBgqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukTg:BrHGPv5Smpt6DmUWuVZkxikdXcq

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06038fedf29979d267f9663315865c20_NeikiAnalytics.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:540
  • C:\Windows\system32\AppVShNotify.exe
    C:\Windows\system32\AppVShNotify.exe
    1⤵
      PID:4452
    • C:\Windows\system32\MoUsoCoreWorker.exe
      C:\Windows\system32\MoUsoCoreWorker.exe
      1⤵
        PID:4920
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\SrZsR.cmd
        1⤵
          PID:4360
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"
            2⤵
              PID:1008
          • C:\Windows\system32\MsSpellCheckingHost.exe
            C:\Windows\system32\MsSpellCheckingHost.exe
            1⤵
              PID:3516
            • C:\Windows\system32\Netplwiz.exe
              C:\Windows\system32\Netplwiz.exe
              1⤵
                PID:872
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Ubtd8LU.cmd
                1⤵
                • Drops file in System32 directory
                PID:640
              • C:\Windows\System32\fodhelper.exe
                "C:\Windows\System32\fodhelper.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:8
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\jTI2i.cmd
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2840
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\1154\Netplwiz.exe" /RL highest
                    3⤵
                    • Creates scheduled task(s)
                    PID:5028

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\I2o6988.tmp
                Filesize

                500KB

                MD5

                5dbd22330c0778b87ce3ed8147babdd7

                SHA1

                b931ec35af7f3c1a9e1c7e32c3e37630df22a6cb

                SHA256

                39f375339e42387d5d462d58d6d5a7ecb325c8119be46a24fe0b0ed6af0aee82

                SHA512

                3c89b0b69524921dfe8cac9f7265c86a1211d1c2278dd0f53c1580f0927c74ebdf781fb91453117226851f40bb6744ef285c4dd468e3f86157ca01512f9d9938

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SrZsR.cmd
                Filesize

                242B

                MD5

                d586ce8f024648480a8e93472af44414

                SHA1

                825c05680543a0c7b4a71ee9123ea80bdab2aca3

                SHA256

                a415d5958a566f451ef23fd26ae17f5ec1d793d4d78f07ca1e1e86cd0a8e999d

                SHA512

                28b099f206e6217fa0173bed69a03e9f77b08694bc6ec678b298121203e7d5ba6df947d76c05bae5ca208a99df9a24f80d5db7b1b4992537dbfdabb860789f57

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Ubtd8LU.cmd
                Filesize

                196B

                MD5

                4d4de76b3df26ea81e2fdc1d24e7c9d8

                SHA1

                2fc18b1b781e6977e58ed34d4584b4bbe0a2ddd5

                SHA256

                c759b51f948e55db0a1ceffaaba3cf7860da1428c05ad6626a62cf3d11ebdb2f

                SHA512

                17575b1bef4dbd02415490dc0d5aadb454b43a486b2de447b59ee46c176ea4ae317fed87e99622765e015f1c515d7b8d2fab01be43b61f4b53a3eee774e15f26

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\jTI2i.cmd
                Filesize

                124B

                MD5

                186352ba3653ad0ab05b49207c3e2908

                SHA1

                2f83bb9ca648eaf9ba80beebf7e972cfa1bbded0

                SHA256

                8f7d7c4399077e1a9eb27c7bb52033847801996ba71a28b4c194296339424e75

                SHA512

                186a4c1b244f99de3e7c7f172dea3ba90b63096067a2e4188bfb919ae2aa47c34026e6807d235196b6f887b92a7dd402143a08e2dcfb08b2887d25d31f853dc0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\t068BC.tmp
                Filesize

                500KB

                MD5

                b431896c3c499ca42e3f2f23e351905a

                SHA1

                8af682cd64911bf2a51b26c48af609b30b284aee

                SHA256

                a9e3debce94f2e785044648c372b029ce9f7b3b90cac3421f8fc9f0cb9b96d23

                SHA512

                7bec7cf8687309048365fda930ef494529a2d50aeda3122d174f83b5e5afaacd5d324d48c57e163d9eb96ad221688ff42be940eb61d7913438736f3207d7453c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk
                Filesize

                952B

                MD5

                ed38b04dc3ebc2cafaa17f9c95643001

                SHA1

                6ab20bac2ea8b0dc5a079155731c7d2d5efd3579

                SHA256

                bfc129630c3993e13d88bbf1b6211629b2f3aa1f1d8489693c89b0f2786ca1f1

                SHA512

                08d11b680c6984b242016f54256c985bcce8502a2daa92f06308c39e4d5d08f57c21c184d64e4623f168f4f7ecdb49c3e40a92d09ed79749520cda3636606d32

                Download Submit

              • C:\Users\Admin\AppData\Roaming\ZMawhhj\MoUsoCoreWorker.exe
                Filesize

                1.6MB

                MD5

                47c6b45ff22b73caf40bb29392386ce3

                SHA1

                7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

                SHA256

                cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

                SHA512

                c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

                Download Submit

              • memory/540-0-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/540-2-0x0000026735D30000-0x0000026735D37000-memory.dmp

                Filesize

                28KB

                Download

              • memory/540-6-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-16-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-12-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-22-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-21-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-20-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-19-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-18-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-17-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-25-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-15-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-14-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-13-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-43-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-23-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-11-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-45-0x00007FFA14600000-0x00007FFA14610000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3376-10-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-9-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-8-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-26-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-38-0x0000000000F00000-0x0000000000F07000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3376-54-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-33-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-24-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-7-0x0000000140000000-0x000000014007C000-memory.dmp

                Filesize

                496KB

                Download

              • memory/3376-3-0x0000000000F60000-0x0000000000F61000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3376-5-0x00007FFA12DBA000-0x00007FFA12DBB000-memory.dmp

                Filesize

                4KB

                Download