Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 21:39
Static task
static1
Behavioral task
behavioral1
Sample
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
General
-
Target
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
-
Size
196KB
-
MD5
f7ae8c4b91a43fb78590b02347b48530
-
SHA1
b59418954dcf7479726c5d463e6c611404fe6ccd
-
SHA256
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe
-
SHA512
46c7e2b58fa06fe97040c4c9368ed8a967421e575f2d08b9b808e7b50d1113be7d3838b6d76e949be0a87199caca770d0e544c1350a2232a6d76b0584ccd2953
-
SSDEEP
3072:fRmbICt25LZseWDzoPZ6WS6BLfvgaSlpcD+05f:5ljSzkPDNGEf
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/3016-0-0x0000000001FD0000-0x0000000001FFA000-memory.dmp fatalrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 22 3016 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3016 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3016 2520 rundll32.exe 83 PID 2520 wrote to memory of 3016 2520 rundll32.exe 83 PID 2520 wrote to memory of 3016 2520 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-