50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2_NeikiAnalytics.dll
Size

65KB
MD5

9f8bdc9708f2c96205d9b02f4abdb370
SHA1

264115a7509eea2f1d5c1e7220eb5209c2354b05
SHA256

50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2
SHA512

17715c9162a161dcf2fdb2a44ad54951fc625d243bbda9c664e97d558acde25776914d0233b3927ecd3967595c22e1e4f48acb6499fff5f202c6db1890e77965
SSDEEP

768:xqUHit1rrjyG4Iwk6rK7oEM36l65SgBV3v+1DS1gs+WlO5cs7fry1cAT6khwgUf:UnDoK7k/Sg7v0D3Wps7frlzk

Score

7^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib\ = "{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2_NeikiAnalytics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ = "_DWDAidImgEventsW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\ = "WDAidEx ActiveX Control module (UNICODE)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib\ = "{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\TypeLib\ = "{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WDAIDEX.WDAidImgCtrlW.1\CLSID\ = "{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ = "_DWDAidImgW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib\ = "{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WDAIDEX.WDAidImgCtrlW.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\MiscStatus\1\ = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WDAIDEX.WDAidImgCtrlW.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\ProgID\ = "WDAIDEX.WDAidImgCtrlW.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ = "_DWDAidImgW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\ = "WDAidImgW Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2_NeikiAnalytics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ = "_DWDAidImgEventsW"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WDAIDEX.WDAidImgCtrlW.1\ = "WDAidImgW Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6839A6AB-97FA-40E6-AA8C-7EC82674BFA1}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2_NeikiAnalytics.dll, 16633"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9B65C02-40AB-4A08-B5FB-733ECE3E2D0A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib\ = "{DFFD49E0-DB89-4BAC-92F6-3AADB4A1BC81}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA0CDB7-7D49-46DF-9EDE-AF944173CD30}\TypeLib\Version = "1.0"	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\50cb36709c3bcfa8cabeeb06e8bcc6a156a54a79650a34239fac447f6cb8e2f2_NeikiAnalytics.dll
1⤵
- Modifies registry class
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads