Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 22:04
Behavioral task
behavioral1
Sample
1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
4 signatures
150 seconds
General
-
Target
1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll
-
Size
899KB
-
MD5
72ca27e549045bc4ad9e5670827b5790
-
SHA1
bea2ab31d1f0936c0a8bedbe1858f76dbaf910d7
-
SHA256
1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120
-
SHA512
b33b7029d61f8b549098cd7bef2586c90210ed6d44639b91d5b3503e1498b7a2e05844adcf081d3f82ebcbca027fcde5964e4f6fdf2a03bca09a78ee58c3280f
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXo:7wqd87Vo
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
rundll32.exepid process 2272 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2272 2284 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1db4920f417fdc928d6fd1e9b29c7def950d0b198ea261946aced53bbd82f120_NeikiAnalytics.dll,#12⤵
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2272-0-0x0000000010000000-0x000000001014F000-memory.dmpFilesize
1.3MB