Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 23:03
Behavioral task
behavioral1
Sample
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
Resource
win10v2004-20240508-en
General
-
Target
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
-
Size
9KB
-
MD5
70f9592523c0c66c00d6f8b0c97df860
-
SHA1
7c8fae88ca5d2e6837c74a63953b47dd17a68622
-
SHA256
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1
-
SHA512
6a3a85e90808bc6ac4541cd24900b571775f2dc90e89b3fafe1dd796067455a572167ceae5dd3f25a99d4ff0caef6045108f4eae994198cdfbca7efb74e3c4d7
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nGhZoEmbOE:vDIK6oE
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1708 set thread context of 1924 1708 rundll32.exe rundll32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1708 1932 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1708 wrote to memory of 1924 1708 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2068 1924 rundll32.exe calc.exe PID 1924 wrote to memory of 2068 1924 rundll32.exe calc.exe PID 1924 wrote to memory of 2068 1924 rundll32.exe calc.exe PID 1924 wrote to memory of 2068 1924 rundll32.exe calc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.execalc.exe4⤵