Analysis
-
max time kernel
92s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 00:43
Static task
static1
Behavioral task
behavioral1
Sample
2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll
Resource
win7-20240220-en
General
-
Target
2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll
-
Size
457KB
-
MD5
2144112e6180ba6dac7514c4972d3360
-
SHA1
e96159f89a6ec9653180df80f50e2c9b0212ff1a
-
SHA256
397a06a8dfebd9cecab74cf9563017042fbf04050a8f368b2b2ac644643d35c1
-
SHA512
f97a3d1fcb7134634213ddcf0c4b4eb27b8382e196e8fb428954ad2a105fd00b98ccc1febcded67f97fa3aa848139738e34d623f55de83745d92a65afd3948d2
-
SSDEEP
12288:Ha+VWigpr73NMMlti+mK0BNpb1QNLfziqXfjk4JFy8BuxgPrxt:H7Vhu9MM8LbSLmWjk4L4xgTxt
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
rundll32mgr.exepid process 800 rundll32mgr.exe -
Processes:
resource yara_rule behavioral2/memory/800-6-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-7-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-8-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-14-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-13-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-12-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-9-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-17-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-16-0x0000000000400000-0x000000000041A000-memory.dmp upx behavioral2/memory/800-21-0x0000000000400000-0x0000000000419000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112088" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1768327500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112088" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1769889822" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1768327500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94F11255-278B-11EF-9A94-7AB71B943571} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112088" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424831567" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112088" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1769889822" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
rundll32mgr.exepid process 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe 800 rundll32mgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32mgr.exedescription pid process Token: SeDebugPrivilege 800 rundll32mgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2652 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2652 iexplore.exe 2652 iexplore.exe 4368 IEXPLORE.EXE 4368 IEXPLORE.EXE 4368 IEXPLORE.EXE 4368 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
rundll32mgr.exepid process 800 rundll32mgr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeiexplore.exedescription pid process target process PID 4608 wrote to memory of 3360 4608 rundll32.exe rundll32.exe PID 4608 wrote to memory of 3360 4608 rundll32.exe rundll32.exe PID 4608 wrote to memory of 3360 4608 rundll32.exe rundll32.exe PID 3360 wrote to memory of 800 3360 rundll32.exe rundll32mgr.exe PID 3360 wrote to memory of 800 3360 rundll32.exe rundll32mgr.exe PID 3360 wrote to memory of 800 3360 rundll32.exe rundll32mgr.exe PID 800 wrote to memory of 2652 800 rundll32mgr.exe iexplore.exe PID 800 wrote to memory of 2652 800 rundll32mgr.exe iexplore.exe PID 2652 wrote to memory of 4368 2652 iexplore.exe IEXPLORE.EXE PID 2652 wrote to memory of 4368 2652 iexplore.exe IEXPLORE.EXE PID 2652 wrote to memory of 4368 2652 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2144112e6180ba6dac7514c4972d3360_NeikiAnalytics.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5ba5c07e84aaf8703c7f383a82d696ce7
SHA1f51fbe8032555f84974ed041a09cc6211d8ee0af
SHA256088079d3c0c9b9117e2427529a2e6ddd19bd694d1180dabf72cb80dfad1fbad3
SHA512987db2bb8c1a95f754c724f5921152a3e1f6a4ca7b7c79f7b927eca93e9251e73eb91d8a972c094061a8dbfb6ad82e5133ed64ffb7d9c9de946b705f4081d31f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5a4f5c8ea9306fa6948cb9b551a56acff
SHA147b78df377ce3c58077483431bdb7a5c331cc66b
SHA256963e3b6662b50229c064a89a878611bb99c86897ce794d249b8c261f7434d499
SHA51290c1d1834facd71f3aad073ca82ab214ad102408bf5fa71a17292bc91ef6f8ec8a153b92a91be34ab1999a327c8eded993f9d158610ac94bb2cf32ec246000d3
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
84KB
MD55a4990694e4324c26ace7339664fc4b6
SHA1e1d54ebd9223f127ee7a5cb00f1be151bb49548b
SHA25699e40a3654d832bb4090fdb7f6eb62abece0109d88c87651835b74af4bcb197d
SHA5127f41f0312325f0c09c7b444e237538e38f5e4578111e3f4277b266a1f107791a5ec1a670c6911befe8a3286ff521471cc67c2eac07f3d3dcd29b4081f07a3450