Analysis
-
max time kernel
6s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 21:26
Static task
static1
Behavioral task
behavioral1
Sample
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
-
Size
112KB
-
MD5
3b37b39e97b479ca5d286ff4d1d1c200
-
SHA1
c1858f16f5b1855fc1e402a7a10a9840fb8cb663
-
SHA256
675e8d73939dddbaecae6e947051c26973f6c3e2243f2db520be1f4ec1c0d473
-
SHA512
7c0eb1276f37ddb6e1955a80d6738ff54862c6d5311a9fd5f2f006939c32242f1254d8cd8e3a47db509dfe7877553bf5f76026c41c58dfd5f0d805c1f3f88bf2
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/836-283-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/836-297-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
WAMain.exeWAMain.exeWAMain.exepid process 1820 WAMain.exe 696 WAMain.exe 836 WAMain.exe -
Loads dropped DLL 5 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exepid process 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe -
Processes:
resource yara_rule behavioral1/memory/1016-127-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1016-116-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1016-112-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1016-110-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/696-276-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1016-286-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/836-283-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/696-294-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/836-297-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exeWAMain.exedescription pid process target process PID 1780 set thread context of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 set thread context of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1820 set thread context of 1708 1820 WAMain.exe svchost.exe PID 1820 set thread context of 696 1820 WAMain.exe WAMain.exe PID 1820 set thread context of 836 1820 WAMain.exe WAMain.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe 2668 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WAMain.exedescription pid process Token: SeDebugPrivilege 696 WAMain.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exesvchost.exe3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exeWAMain.exesvchost.exeWAMain.exepid process 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 2668 svchost.exe 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1820 WAMain.exe 1708 svchost.exe 696 WAMain.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.execmd.exeWAMain.exedescription pid process target process PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 2668 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1780 wrote to memory of 1016 1780 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1016 wrote to memory of 1648 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 1016 wrote to memory of 1648 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 1016 wrote to memory of 1648 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 1016 wrote to memory of 1648 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 1648 wrote to memory of 1800 1648 cmd.exe reg.exe PID 1648 wrote to memory of 1800 1648 cmd.exe reg.exe PID 1648 wrote to memory of 1800 1648 cmd.exe reg.exe PID 1648 wrote to memory of 1800 1648 cmd.exe reg.exe PID 1016 wrote to memory of 1820 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 1016 wrote to memory of 1820 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 1016 wrote to memory of 1820 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 1016 wrote to memory of 1820 1016 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 1708 1820 WAMain.exe svchost.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 696 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe PID 1820 wrote to memory of 836 1820 WAMain.exe WAMain.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GLYHI.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵
- Adds Run key to start application
PID:1800 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:696 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD53b37b39e97b479ca5d286ff4d1d1c200
SHA1c1858f16f5b1855fc1e402a7a10a9840fb8cb663
SHA256675e8d73939dddbaecae6e947051c26973f6c3e2243f2db520be1f4ec1c0d473
SHA5127c0eb1276f37ddb6e1955a80d6738ff54862c6d5311a9fd5f2f006939c32242f1254d8cd8e3a47db509dfe7877553bf5f76026c41c58dfd5f0d805c1f3f88bf2