Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 06:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c21474e094fece1695b6d233436f96b0_NeikiAnalytics.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
c21474e094fece1695b6d233436f96b0_NeikiAnalytics.dll
-
Size
160KB
-
MD5
c21474e094fece1695b6d233436f96b0
-
SHA1
59dc1d033add5f03056eb6e65af1394c6664e5a7
-
SHA256
00cd0c2e41dfecabca07d86b8794656bb44abcd7484e7a3ee4462250a80881e4
-
SHA512
fa8d10e384a2826a9d4cbe69599ef834f034d2aca583c819021b695ebbf3372e039202d0aa171bd53897d4a36607c28b2b3c59b587896ef964186325a7f97156
-
SSDEEP
3072:uWX2IjzzpM+PncPeY8+O3AU3HRIHPh3UGfXy0BHNkIv/ScbQQ2y0iNM0+y+N0tc:u42IfzNPnoeY8j3AsHGPXpHNj6rByM3
Malware Config
Extracted
Family
dridex
Botnet
40111
C2
94.247.168.64:443
159.203.93.122:8172
50.116.27.97:2303
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1984-0-0x0000000074690000-0x00000000746BE000-memory.dmp dridex_ldr behavioral1/memory/1984-2-0x0000000074690000-0x00000000746BE000-memory.dmp dridex_ldr -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 1984 1992 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c21474e094fece1695b6d233436f96b0_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c21474e094fece1695b6d233436f96b0_NeikiAnalytics.dll,#12⤵
- Checks whether UAC is enabled