2a1a0cfae648dfa5f8b54ab4bce312bb93463e48deef5832fff7487437186779

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a1a0cfae648dfa5f8b54ab4bce312bb93463e48deef5832fff7487437186779_NeikiAnalytics.dll
Size

72KB
MD5

0add25cdde35d168fd61d1f6cbf4a0a0
SHA1

d01604554903caa42df1dcf91125c40483358638
SHA256

2a1a0cfae648dfa5f8b54ab4bce312bb93463e48deef5832fff7487437186779
SHA512

40d3837edae82ddada206398d1ca506aec681afe8dcdf6bb4d749e2ed57993c7b23a3875de830d8894fcc7d0e61a9c2f28c33207f6863223ba7b2da29676cdbd
SSDEEP

1536:smD6BS7LL1ido9yHSmBmSKmS63DgirIH:spBon1iWyHSCTKTeDgb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2204	hrl197A.tmp
2680	kkaaya.exe

Loads dropped DLL 2 IoCs

pid	Process
1688	rundll32.exe
1688	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kkaaya.exe	hrl197A.tmp
File created	C:\Windows\SysWOW64\kkaaya.exe	hrl197A.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	hrl197A.tmp
2680	kkaaya.exe

Suspicious behavior: MapViewOfSection 47 IoCs

pid	Process
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2204	hrl197A.tmp
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe
2680	kkaaya.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	hrl197A.tmp
Token: SeDebugPrivilege	2680	kkaaya.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1832 wrote to memory of 1688	1832	rundll32.exe	28
PID 1688 wrote to memory of 2204	1688	rundll32.exe	29
PID 1688 wrote to memory of 2204	1688	rundll32.exe	29
PID 1688 wrote to memory of 2204	1688	rundll32.exe	29
PID 1688 wrote to memory of 2204	1688	rundll32.exe	29
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 384	2204	hrl197A.tmp	3
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 396	2204	hrl197A.tmp	4
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 432	2204	hrl197A.tmp	5
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 476	2204	hrl197A.tmp	6
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 492	2204	hrl197A.tmp	7
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 500	2204	hrl197A.tmp	8
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 616	2204	hrl197A.tmp	9
PID 2204 wrote to memory of 688	2204	hrl197A.tmp	10
PID 2204 wrote to memory of 688	2204	hrl197A.tmp	10
PID 2204 wrote to memory of 688	2204	hrl197A.tmp	10
PID 2204 wrote to memory of 688	2204	hrl197A.tmp	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:616
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:772
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:836
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1336
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1012
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:356
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:308
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1040
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1240
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2476
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\kkaaya.exe
    C:\Windows\SysWOW64\kkaaya.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a1a0cfae648dfa5f8b54ab4bce312bb93463e48deef5832fff7487437186779_NeikiAnalytics.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a1a0cfae648dfa5f8b54ab4bce312bb93463e48deef5832fff7487437186779_NeikiAnalytics.dll,#1
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\hrl197A.tmp
      C:\Users\Admin\AppData\Local\Temp\hrl197A.tmp
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hrl197A.tmp

Filesize
64KB

MD5
e2ac54b92a92ab894f9d8e26529d5990

SHA1
9d56e02c2053f21daff516a23c98f9e871c0f73a

SHA256
3c3631ee39fe32fb73dbc634ca30a41a2998e30a0a30d92083a47bd0c632da98

SHA512
44b37743d685940b24a8a5021d8b7c9b5369d3d3f3039bcbdb262d32d08d6e06d2728646f8a002a264dd91c353995fdb0ded1b013f18ab9eeae38b15a50429ab

Download Submit
memory/1688-7-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1688-8-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2204-12-0x0000000077D80000-0x0000000077D81000-memory.dmp

Filesize
4KB

Download
memory/2204-11-0x0000000077D7F000-0x0000000077D80000-memory.dmp

Filesize
4KB

Download
memory/2204-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2204-18-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2680-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download