Malware Analysis Report

2025-01-18 01:03

Sample ID 240613-hapzqsxelh
Target 65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.exe
SHA256 104ad4aa48acfb6ed06b77d34dfaea65636fc5d69f9e97f14083393289ce4bcc
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

104ad4aa48acfb6ed06b77d34dfaea65636fc5d69f9e97f14083393289ce4bcc

Threat Level: Shows suspicious behavior

The file 65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:32

Reported

2024-06-13 06:34

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\f4SUbt\\VaultSysUi.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\6401\rrinstaller.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\6401\rrinstaller.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\yFk6sS.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2908 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1208 wrote to memory of 2908 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1208 wrote to memory of 2908 N/A N/A C:\Windows\system32\VaultSysUi.exe
PID 1208 wrote to memory of 2688 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2688 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2688 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2912 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2912 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2912 N/A N/A C:\Windows\System32\cmd.exe
PID 2912 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2912 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2912 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1208 wrote to memory of 2240 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1208 wrote to memory of 2240 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1208 wrote to memory of 2240 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1208 wrote to memory of 1664 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 1664 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 1664 N/A N/A C:\Windows\System32\cmd.exe
PID 1208 wrote to memory of 2520 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1208 wrote to memory of 2520 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1208 wrote to memory of 2520 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2520 wrote to memory of 2752 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2752 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2752 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2752 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1

C:\Windows\system32\VaultSysUi.exe

C:\Windows\system32\VaultSysUi.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aK1.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Oohwbly.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yFk6sS.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\6401\rrinstaller.exe" /RL highest

Network

N/A

Files

memory/1984-0-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1984-2-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-3-0x0000000076D26000-0x0000000076D27000-memory.dmp

memory/1208-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1984-6-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-7-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-11-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-38-0x00000000025B0000-0x00000000025B7000-memory.dmp

memory/1208-17-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-37-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-30-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-29-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-28-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-27-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-26-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-25-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-24-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-23-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-22-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-21-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-20-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-19-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-18-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-16-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-15-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-14-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-13-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-12-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-10-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-9-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-8-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-39-0x0000000076E31000-0x0000000076E32000-memory.dmp

memory/1208-48-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-51-0x0000000140000000-0x000000014008D000-memory.dmp

memory/1208-52-0x0000000076F90000-0x0000000076F92000-memory.dmp

memory/1208-53-0x0000000140000000-0x000000014008D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aK1.cmd

MD5 2fa3f7e2cf8c87adbe5a4570b41605d4
SHA1 b96c7fe23d2fe3aaaa2075ede0cffe9da352f214
SHA256 bbbe820dfa1b77015bc1cbddbfcb84de4b621cf740db236b991aea746e995d45
SHA512 974759d93c0d5892dbf05f7b301d40a0c41be6b89de309b514709f99f43cb179cd8305f66786f28ed25e37f43e82d410e699e5acabb107e73359dd3faa8573d6

C:\Users\Admin\AppData\Local\Temp\I315D.tmp

MD5 f9fd2f2cd4fddeb455ed073d09107aac
SHA1 800d467f738806a8ba58c05e654a2cd7f6d3a847
SHA256 77c2781cb6574c8ba0ba86ca74052ed738f7dd043ece9809b95c75f2dcbc275e
SHA512 67a23bb58794793a2b78b5eb8caab23a49fb8eb2e2dd500c994419189bc8f073859d69570802a37996ae4d9e9a902310d8635dc53e21f9896924f5bac367cba1

C:\Users\Admin\AppData\Roaming\f4SUbt\VaultSysUi.exe

MD5 f40ef105d94350d36c799ee23f7fec0f
SHA1 ee3a5cfe8b807e1c1718a27eb97fa134360816e3
SHA256 eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2
SHA512 f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

C:\Users\Admin\AppData\Local\Temp\Oohwbly.cmd

MD5 ce7b204aeffabc16e3352d216cececfd
SHA1 283ed4245525d12bd7a28a2f30b2cf2e7ed6059f
SHA256 0985122c54cc80d03b4855c64a868331a0d048025fc339e57137ddffa9996f4b
SHA512 130c034f409058118aa77765325304d91451f76eab95ce5bf401fcb35519e02d61945cf333b7e249b49b8f155eedfe975923ae0f3882852c6c08592499710aa4

C:\Users\Admin\AppData\Local\Temp\n33AF.tmp

MD5 899ff55d4f37d0ffef62b030bd8a713e
SHA1 21da6bd6ced218ce298f4d28b842c2378266c243
SHA256 e2ac23237a4e6b041b741ee3e6a9eaf0671b027a927b8782c13dbad7187ba799
SHA512 19d372e4d7d122daea6bcd4800f47485ce1a71ec53d56dcc421b8d8b0158f364c212ccfb2a1f4e0fe58c0d0e86b73ec25dcedff259c6fb57cd5a92f2153b477f

C:\Users\Admin\AppData\Local\Temp\yFk6sS.cmd

MD5 cff8f0294ce7b135cf8b26d8ab6c60c5
SHA1 cddae57958443998097619609310f4ea2ea241d8
SHA256 39eca64a53ffc4484f48872b2dcab6fded7aff5e22bc704f6d4d3958b68f242a
SHA512 5f6e2ec0afcd982136b720608e0eb32686af431a205725140caf5cb4f495dd03725c924ea2c9232e0dd38327a444c8f214da3691c7010dd2aae5a176b14b3802

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yyeybzteybdsbj.lnk

MD5 5bd507dcf35df1fabf561fb871cf8dd8
SHA1 40a75b56cf7096975e63c5c0433ecaae722b5afc
SHA256 13f0479bf736867181b960293960dea9d35c531af3e7394e7cf855ebe52edfe4
SHA512 441eef93f5e865ba30242220383f17c31bb115eebd9164e0178f396f68951bd6d276827bdf5edfa521148d78df2e83bad966d861992aded39cf5643b8861064f

memory/1208-101-0x0000000076D26000-0x0000000076D27000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:32

Reported

2024-06-13 06:34

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iphtcfjrejti = "\"C:\\Users\\Admin\\AppData\\Roaming\\clmw\\Utilman.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\5202\OptionalFeatures.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\5202\OptionalFeatures.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\AWHaXc.cmd" N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 1628 N/A N/A C:\Windows\system32\provtool.exe
PID 3436 wrote to memory of 1628 N/A N/A C:\Windows\system32\provtool.exe
PID 3436 wrote to memory of 468 N/A N/A C:\Windows\system32\VSSVC.exe
PID 3436 wrote to memory of 468 N/A N/A C:\Windows\system32\VSSVC.exe
PID 3436 wrote to memory of 3676 N/A N/A C:\Windows\system32\RuntimeBroker.exe
PID 3436 wrote to memory of 3676 N/A N/A C:\Windows\system32\RuntimeBroker.exe
PID 3436 wrote to memory of 2256 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3436 wrote to memory of 2256 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3436 wrote to memory of 4052 N/A N/A C:\Windows\system32\ResetEngine.exe
PID 3436 wrote to memory of 4052 N/A N/A C:\Windows\system32\ResetEngine.exe
PID 3436 wrote to memory of 4464 N/A N/A C:\Windows\system32\DTUHandler.exe
PID 3436 wrote to memory of 4464 N/A N/A C:\Windows\system32\DTUHandler.exe
PID 3436 wrote to memory of 4500 N/A N/A C:\Windows\system32\audiodg.exe
PID 3436 wrote to memory of 4500 N/A N/A C:\Windows\system32\audiodg.exe
PID 3436 wrote to memory of 2028 N/A N/A C:\Windows\system32\MultiDigiMon.exe
PID 3436 wrote to memory of 2028 N/A N/A C:\Windows\system32\MultiDigiMon.exe
PID 3436 wrote to memory of 4592 N/A N/A C:\Windows\system32\dllhost.exe
PID 3436 wrote to memory of 4592 N/A N/A C:\Windows\system32\dllhost.exe
PID 3436 wrote to memory of 3100 N/A N/A C:\Windows\system32\Utilman.exe
PID 3436 wrote to memory of 3100 N/A N/A C:\Windows\system32\Utilman.exe
PID 3436 wrote to memory of 3300 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 3300 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 2496 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 2496 N/A N/A C:\Windows\System32\cmd.exe
PID 2496 wrote to memory of 3080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2496 wrote to memory of 3080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4992 N/A N/A C:\Windows\system32\AppVShNotify.exe
PID 3436 wrote to memory of 4992 N/A N/A C:\Windows\system32\AppVShNotify.exe
PID 3436 wrote to memory of 4168 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3436 wrote to memory of 4168 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3436 wrote to memory of 4576 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 4576 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 828 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3436 wrote to memory of 828 N/A N/A C:\Windows\System32\fodhelper.exe
PID 828 wrote to memory of 5072 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 828 wrote to memory of 5072 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5072 wrote to memory of 3076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\65d27fcf5d4c6e8063353a0e67e4fc00_NeikiAnalytics.dll,#1

C:\Windows\system32\provtool.exe

C:\Windows\system32\provtool.exe

C:\Windows\system32\VSSVC.exe

C:\Windows\system32\VSSVC.exe

C:\Windows\system32\RuntimeBroker.exe

C:\Windows\system32\RuntimeBroker.exe

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\ResetEngine.exe

C:\Windows\system32\ResetEngine.exe

C:\Windows\system32\DTUHandler.exe

C:\Windows\system32\DTUHandler.exe

C:\Windows\system32\audiodg.exe

C:\Windows\system32\audiodg.exe

C:\Windows\system32\MultiDigiMon.exe

C:\Windows\system32\MultiDigiMon.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\V9s.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{3a9698a7-8b59-5789-8186-33aeee771cee}"

C:\Windows\system32\AppVShNotify.exe

C:\Windows\system32\AppVShNotify.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8V1jXb.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\AWHaXc.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Niazd" /SC minute /MO 60 /TR "C:\Windows\system32\5202\OptionalFeatures.exe" /RL highest

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3804-1-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3804-0-0x00000174EAD10000-0x00000174EAD17000-memory.dmp

memory/3436-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/3804-5-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-6-0x00007FFE77D9A000-0x00007FFE77D9B000-memory.dmp

memory/3436-19-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-24-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-37-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-58-0x0000000140000000-0x000000014008D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AWHaXc.cmd

MD5 11386504995ab1f391538cdfb4389e78
SHA1 60bf7573ad967b7a085d5ebd3e0453c2b952f362
SHA256 d75b548f3a911b54e4bdcc0368d5b88a2efb5e32d83deedee87de9a6f1bcd97b
SHA512 0e9ac9faa6434ff7d212e9b0c25ad8a725acb9c710fdbdcfc492f4dadfce78d4b0f7e654d73e8e2c82539edeb80e1979a7d21af87abec723d1e83cba7e892a6b

C:\Users\Admin\AppData\Local\Temp\nS51EA.tmp

MD5 5f175a465456d62212123b6b0aa5d7aa
SHA1 301a707c02573291679c8bd676ae9886611c4f06
SHA256 9fa80af480ea84d2c3477608ba330fbcb1e38023b756308d2d3205d5717c5f20
SHA512 e31b74cd21bca0c2887d46dbb2b6807c7774c291f0f4e1cecc7e2db38d216bbaa6a13695207fd03d9fd8d6ac163b7da1dc70a4d603fb8e823bf9034aad2d13c6

C:\Users\Admin\AppData\Local\Temp\8V1jXb.cmd

MD5 feeb3dc8a5ea3d1b7b48e1dfc84ac07a
SHA1 4549571e13bd170e83d1bca9a58fe4fddfaff45a
SHA256 340520d68ea80ee964d61fe402a61d2a48f7711cebd9896b9e84cdd1b36da234
SHA512 ab05c8141fa3a34c60fc288b7200c65f2659fde360919918aa88f0cc0ba9da70f0f8db8a89aae4d2c66326c6813571f844142014c039b59bf6e2b8ef85497921

C:\Users\Admin\AppData\Roaming\clmw\Utilman.exe

MD5 a117edc0e74ab4770acf7f7e86e573f7
SHA1 5ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256 b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA512 72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

C:\Users\Admin\AppData\Local\Temp\CgS514C.tmp

MD5 a608ed15a56eab782dd9ca3ad9e73bf8
SHA1 1270024fe482314e619ab428b4c111daadb360e1
SHA256 e6970b97d5ce94c2f0b79d93a6d8f22e26127b65bd850681f965fad71175d554
SHA512 d143cd0dd9568f0c70d7a2fcd8939112e7df2001e1b0ef99b5e9007bcc37ff36d5fa8dcb6a5cda09e7c169899d4ed4ac7aa11a49faeee3814de0749d4d0c0d5e

C:\Users\Admin\AppData\Local\Temp\V9s.cmd

MD5 c4e5827e84f0fe09b330a082bad1a2ab
SHA1 be0d137ba3a1a605d413c6b9bde028d744b9bbac
SHA256 27d471c637b6ee4d68346fe8eb5c3a34372fbb736c39651976fb9c124ab0acb0
SHA512 39d39a32b6a90b9e5c63819bd55a2dd1eea4a611375f3296e60eeb921b6e42dab5e1b361227c9dee55ac7e5ca55d57020269daaa9c1289923f7ac90c25402694

memory/3436-49-0x00007FFE79CE0000-0x00007FFE79CF0000-memory.dmp

memory/3436-48-0x0000000000420000-0x0000000000427000-memory.dmp

memory/3436-46-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-30-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-29-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-28-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-26-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-27-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-25-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-23-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-21-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-22-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-20-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-18-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-17-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-16-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-15-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-14-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-13-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-12-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-11-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-10-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-9-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-8-0x0000000140000000-0x000000014008D000-memory.dmp

memory/3436-7-0x0000000140000000-0x000000014008D000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iphtcfjrejti.lnk

MD5 676dccc3437a352bf1e0d1dbde9aad8b
SHA1 6f6aafb5edf5c32e92f9d8905da3d0c6e0458d7a
SHA256 2256feb71f2d2165780d6c42e18078b9565c6989d00ee3f20784c7222bf823d9
SHA512 19119b591af2e1fc707e0a0b1f948d54dba86a9c970044170d33c3761eb100559013f70f971f36eb20ae1823a04ca0d866ebf4d064a40d29fb8abd28241f6601