Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
12/06/2024, 06:24
General
-
Target
2449161e8fa06ccd0b6519d6ff761820_NeikiAnalytics.dll
-
Size
500KB
-
MD5
2449161e8fa06ccd0b6519d6ff761820
-
SHA1
55a8ed75679a79175ab528e93912e0e39aa7b044
-
SHA256
ac142a0fb80e50e856e020a3a5f30ec31bb95114b91d75878ed1ff1307d080fb
-
SHA512
a8cf2bc1dddfe35b00477a41fca6b822aa6aded77c38b122e5bbc2ec1a6274eba96183dfd26a6b42ae5190eb06346313b8ef0cd79d64c4795f396217aad962a4
-
SSDEEP
6144:Mi05kH9OyU2uv5SRf/FWgFgt0gqIRAUW9kVYeVprU4wfhTv5xD2ZP0GVGdXcukT4:nrHGPv5SmptZDmUWuVZkxikdXcq
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2449161e8fa06ccd0b6519d6ff761820_NeikiAnalytics.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Netplwiz.exeC:\Windows\system32\Netplwiz.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ib65e2.cmd1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{4a94cc21-ab5c-b52d-bcf4-6eb5b4fdcb9a}"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Delete /F /TN "User_Feed_Synchronization-{4a94cc21-ab5c-b52d-bcf4-6eb5b4fdcb9a}"2⤵
-
-
C:\Windows\system32\charmap.exeC:\Windows\system32\charmap.exe1⤵
-
C:\Windows\system32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe1⤵
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe1⤵
-
C:\Windows\system32\secinit.exeC:\Windows\system32\secinit.exe1⤵
-
C:\Windows\system32\credwiz.exeC:\Windows\system32\credwiz.exe1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sxQ.cmd1⤵
- Drops file in System32 directory
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\qmp5M.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Iqeyjqzalasn" /SC minute /MO 60 /TR "C:\Windows\system32\1629\credwiz.exe" /RL highest3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD5ee34d24776ae2dfbf727a1d4958d2d70
SHA1f3722a5ec505891b1a158b642c99a843deffd4c4
SHA256aed499135f47b62de9fea1f0cac2d0268180b95c5eaab77f149c1e5f8f3ce460
SHA512d5c0c8bb03c40b5be9915d5e3f2d21389333d5dee56a1cd1b2d15083d46a1adc88921f028f7eedf68d56d64ac925b38031bcb12c1b2497752e6d83a1e183cfe0
-
Filesize
234B
MD5d046c93db006050fcd50d4e3441d845b
SHA16947c1cf16cb5e05121c6549f5dbed54efa2505c
SHA25677f9c820eb62cf50cb720509c42a00cfe2d5273dfb10f6370e799031a57fa6d5
SHA512a6c70b7e15f2c40f79ef518c6ac950b1d5faff74cc3f09349a750790d326d3998a037fb777969c3d0e53241303b947b389bbe73c5afe4a90e2c8cb16b27b1531
-
Filesize
130B
MD53ec52fa60983a2a5c5e160f3191d414a
SHA1248f66246943664ebe1d9c2e22f0e83e5c08e465
SHA2565ac256029e88fed324907a9b70abaf82dd15d9c13c143f091c5c2bec95e1602d
SHA512ed2169d5313c596e7da16ce33fbe6837b17095144fd3341d2ee42b3eac67641c423eec8839cc9754e4c1261af00ce6cefdff46241eb95c73a3c940900184ed19
-
Filesize
500KB
MD5b423890849ecea08103b48434846ddbf
SHA1e16c3ef08f670ab8b27076f70ecb5c9c015e7959
SHA2567f483759e3954b7f70d67dfc9dbdd8db7f5a494fe77522ac0ea1765609b6ef1a
SHA5120bd7b5c4d674deb6a3aea043ee64c977f0680d9ce4698b74a8af8db7b2ae43055f828baf6639a7951b41ded4f775f11bb44efa67de071fdf3e8da89d9f5a041f
-
Filesize
194B
MD55d10374ed414ebf0c99155c9438a473c
SHA17da06c4d30f8bf4c15bd409e2cb9f76ff1946373
SHA2569ebdc873a163c44a75ca24203248728a643849846dc842c6bca2e53674e40988
SHA512b6fb5d5a445cb80e7b860667e13eaa237fbeaece7772f546d4a3ae9b208361f357d4500d1f15a7328bb7e6dd6b25d4f92ed7a6adf2884ee21a43a8842c5f3b88
-
Filesize
886B
MD53c19c66a5ffc2055471dcd5542f0b1f5
SHA1b762ffe59468c57727ad76ac971e1db34aa55f32
SHA25658db180c02374be0f0a2fcc830d552798e71e6ec224daf4a65896420a6ec940e
SHA512d1d0707f43343636fa86dfc39394011f55663f579865ee4ce2ce8a9680cff0291a2f4a2c12f46c555ba4390a8d006e38774fde6f2f9d79e3381466ae8edd16a0
-
Filesize
26KB
MD5e43ec3c800d4c0716613392e81fba1d9
SHA137de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
4KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
8KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
500KB
-
Filesize
28KB
-
Filesize
500KB