Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 21:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
Resource
win10v2004-20240611-en
General
-
Target
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll
-
Size
196KB
-
MD5
f7ae8c4b91a43fb78590b02347b48530
-
SHA1
b59418954dcf7479726c5d463e6c611404fe6ccd
-
SHA256
0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe
-
SHA512
46c7e2b58fa06fe97040c4c9368ed8a967421e575f2d08b9b808e7b50d1113be7d3838b6d76e949be0a87199caca770d0e544c1350a2232a6d76b0584ccd2953
-
SSDEEP
3072:fRmbICt25LZseWDzoPZ6WS6BLfvgaSlpcD+05f:5ljSzkPDNGEf
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/3016-0-0x0000000001FD0000-0x0000000001FFA000-memory.dmp fatalrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 22 3016 rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe 3016 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3016 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 3016 2520 rundll32.exe 83 PID 2520 wrote to memory of 3016 2520 rundll32.exe 83 PID 2520 wrote to memory of 3016 2520 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0bdaee2789ba12e2e724bb1f6f58eb2add8febbe4d7304d8dc69970b000dc7fe_NeikiAnalytics.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request203.107.17.2.in-addr.arpaIN PTRResponse203.107.17.2.in-addr.arpaIN PTRa2-17-107-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1-31.qq-weixin.orgIN AResponse1-31.qq-weixin.orgIN A103.207.165.4
-
Remote address:8.8.8.8:53Request4.165.207.103.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request57.169.31.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request144.107.17.2.in-addr.arpaIN PTRResponse144.107.17.2.in-addr.arpaIN PTRa2-17-107-144deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 276211
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D8C7F56F50FD443B9DB43FCB7FC3C1AC Ref B: LON04EDGE1014 Ref C: 2024-07-01T21:41:48Z
date: Mon, 01 Jul 2024 21:41:48 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 383394
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 11E78AACF86947D5BE5FA056328BA6FA Ref B: LON04EDGE1014 Ref C: 2024-07-01T21:41:48Z
date: Mon, 01 Jul 2024 21:41:48 GMT
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.27.171.150.in-addr.arpaIN PTRResponse
-
1.0kB 461 B 12 11
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http226.2kB 689.4kB 513 510
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692309_12E985FV6AZCRM3HV&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239351692308_1QYA5IZ7RRGGSDH4Z&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
1.2kB 6.8kB 15 12
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
203.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.160.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
64 B 80 B 1 1
DNS Request
1-31.qq-weixin.org
DNS Response
103.207.165.4
-
72 B 137 B 1 1
DNS Request
4.165.207.103.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
57.169.31.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
144.107.17.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.27.171.150.in-addr.arpa