a5fad5c2a9c075dadf898770198a86c18468863fbdf28235e01308076af86c61

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 21:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4724c3c6a175b97434f210fd143dc410_NeikiAnalytics.dll
Size

72KB
MD5

4724c3c6a175b97434f210fd143dc410
SHA1

ff635ce1d6a2c04be363c7636ecc5e374f06ada9
SHA256

a5fad5c2a9c075dadf898770198a86c18468863fbdf28235e01308076af86c61
SHA512

2fea1488cdc44eaba6b755b91215488106ef14ad89ed78307fa05cfb560739185cd5372e944a2abadfee21c31c1301372a3fb221f756967bb0fbf70c293915d9
SSDEEP

1536:ymJ6BS7LL1X+o9yHSmj9yjdMGHb4c9PWJZ:yLBon1XJyHSI9idMYllWD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2240	hrl193B.tmp
2352	refzsk.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	rundll32.exe
1944	rundll32.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\refzsk.exe	hrl193B.tmp
File opened for modification	C:\Windows\SysWOW64\refzsk.exe	hrl193B.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	hrl193B.tmp
2352	refzsk.exe

Suspicious behavior: MapViewOfSection 47 IoCs

pid	Process
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2240	hrl193B.tmp
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe
2352	refzsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	hrl193B.tmp
Token: SeDebugPrivilege	2352	refzsk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1284 wrote to memory of 1944	1284	rundll32.exe	28
PID 1944 wrote to memory of 2240	1944	rundll32.exe	29
PID 1944 wrote to memory of 2240	1944	rundll32.exe	29
PID 1944 wrote to memory of 2240	1944	rundll32.exe	29
PID 1944 wrote to memory of 2240	1944	rundll32.exe	29
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 384	2240	hrl193B.tmp	3
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 392	2240	hrl193B.tmp	4
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 432	2240	hrl193B.tmp	5
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 476	2240	hrl193B.tmp	6
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 492	2240	hrl193B.tmp	7
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 500	2240	hrl193B.tmp	8
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 596	2240	hrl193B.tmp	9
PID 2240 wrote to memory of 676	2240	hrl193B.tmp	10
PID 2240 wrote to memory of 676	2240	hrl193B.tmp	10
PID 2240 wrote to memory of 676	2240	hrl193B.tmp	10
PID 2240 wrote to memory of 676	2240	hrl193B.tmp	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1532
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:108
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:1008
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1064
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1976
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\refzsk.exe
    C:\Windows\SysWOW64\refzsk.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4724c3c6a175b97434f210fd143dc410_NeikiAnalytics.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4724c3c6a175b97434f210fd143dc410_NeikiAnalytics.dll,#1
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\hrl193B.tmp
      C:\Users\Admin\AppData\Local\Temp\hrl193B.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hrl193B.tmp

Filesize
65KB

MD5
c03d8da864e307bf1691457c9e7dc98d

SHA1
f96f442b2438da602feb4e2b4adaada7bbc5e408

SHA256
642ba0bd9b2956e19887868f87c9d96ef83bb386de733857f67cf049d3f50d51

SHA512
afd7d07f971e92b1079b8a039e6b75f8b68e1b711a384a309a7e7a6e90e3c448dce0118a9847c325fdedfcea84316d0c4d23c471ecc4cd949a5619dc7a677cb6

Download Submit
memory/1944-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2240-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2240-10-0x000000007791F000-0x0000000077920000-memory.dmp

Filesize
4KB

Download
memory/2240-11-0x0000000077920000-0x0000000077921000-memory.dmp

Filesize
4KB

Download
memory/2240-20-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2240-19-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2352-15-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2352-17-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download