Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 23:03
Behavioral task
behavioral1
Sample
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
Resource
win10v2004-20240508-en
General
-
Target
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll
-
Size
9KB
-
MD5
70f9592523c0c66c00d6f8b0c97df860
-
SHA1
7c8fae88ca5d2e6837c74a63953b47dd17a68622
-
SHA256
36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1
-
SHA512
6a3a85e90808bc6ac4541cd24900b571775f2dc90e89b3fafe1dd796067455a572167ceae5dd3f25a99d4ff0caef6045108f4eae994198cdfbca7efb74e3c4d7
-
SSDEEP
48:q0kV3zU9G4aNVh7XphlhEF57/nGhZoEmbOE:vDIK6oE
Malware Config
Extracted
metasploit
windows/exec
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 2508 set thread context of 1204 2508 rundll32.exe rundll32.exe -
Modifies registry class 1 IoCs
Processes:
calc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 32 OpenWith.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription pid process target process PID 4700 wrote to memory of 2508 4700 rundll32.exe rundll32.exe PID 4700 wrote to memory of 2508 4700 rundll32.exe rundll32.exe PID 4700 wrote to memory of 2508 4700 rundll32.exe rundll32.exe PID 2508 wrote to memory of 1204 2508 rundll32.exe rundll32.exe PID 2508 wrote to memory of 1204 2508 rundll32.exe rundll32.exe PID 2508 wrote to memory of 1204 2508 rundll32.exe rundll32.exe PID 2508 wrote to memory of 1204 2508 rundll32.exe rundll32.exe PID 1204 wrote to memory of 4300 1204 rundll32.exe calc.exe PID 1204 wrote to memory of 4300 1204 rundll32.exe calc.exe PID 1204 wrote to memory of 4300 1204 rundll32.exe calc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\36ded09b5dee35c33645b90ce0c3279fd7adf2edadb54fd7f202c5aaabb2ced1_NeikiAnalytics.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.execalc.exe4⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1204-0-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB