Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 21:26
Static task
static1
Behavioral task
behavioral1
Sample
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe
-
Size
112KB
-
MD5
3b37b39e97b479ca5d286ff4d1d1c200
-
SHA1
c1858f16f5b1855fc1e402a7a10a9840fb8cb663
-
SHA256
675e8d73939dddbaecae6e947051c26973f6c3e2243f2db520be1f4ec1c0d473
-
SHA512
7c0eb1276f37ddb6e1955a80d6738ff54862c6d5311a9fd5f2f006939c32242f1254d8cd8e3a47db509dfe7877553bf5f76026c41c58dfd5f0d805c1f3f88bf2
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4620-61-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4620-63-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4620-64-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4620-69-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe -
Executes dropped EXE 3 IoCs
Processes:
WAMain.exeWAMain.exeWAMain.exepid process 1704 WAMain.exe 3876 WAMain.exe 4620 WAMain.exe -
Processes:
resource yara_rule behavioral2/memory/4292-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4292-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4292-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4292-17-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4620-56-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4620-61-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4620-63-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4620-60-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4620-64-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4292-66-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4620-69-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3876-68-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exeWAMain.exedescription pid process target process PID 116 set thread context of 5040 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 116 set thread context of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 1704 set thread context of 1536 1704 WAMain.exe svchost.exe PID 1704 set thread context of 3876 1704 WAMain.exe WAMain.exe PID 1704 set thread context of 4620 1704 WAMain.exe WAMain.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2248 5040 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe 1536 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WAMain.exedescription pid process Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe Token: SeDebugPrivilege 3876 WAMain.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exeWAMain.exesvchost.exeWAMain.exepid process 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 1704 WAMain.exe 1536 svchost.exe 3876 WAMain.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.execmd.exeWAMain.exedescription pid process target process PID 116 wrote to memory of 5040 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 116 wrote to memory of 5040 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 116 wrote to memory of 5040 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 116 wrote to memory of 5040 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe svchost.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 116 wrote to memory of 4292 116 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe PID 4292 wrote to memory of 1676 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 4292 wrote to memory of 1676 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 4292 wrote to memory of 1676 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe cmd.exe PID 1676 wrote to memory of 1404 1676 cmd.exe reg.exe PID 1676 wrote to memory of 1404 1676 cmd.exe reg.exe PID 1676 wrote to memory of 1404 1676 cmd.exe reg.exe PID 4292 wrote to memory of 1704 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 4292 wrote to memory of 1704 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 4292 wrote to memory of 1704 4292 3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe WAMain.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 1536 1704 WAMain.exe svchost.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 3876 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe PID 1704 wrote to memory of 4620 1704 WAMain.exe WAMain.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 843⤵
- Program crash
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\3b37b39e97b479ca5d286ff4d1d1c200_NEIKI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWIMR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵
- Adds Run key to start application
PID:1404 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1536 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3876 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
PID:4620
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5040 -ip 50401⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD56f4df1112ee296f673386f469c82e964
SHA134629c37a93a8a1ae7c979d8356163a922ec888d
SHA2565fb94d448941330a6ea9bfc2c2ff84bf591c1265e3659f3771f8dbb14e6e665f
SHA5129cd25b6466893cebd63c82223faf979d574ccae4b28e2b42bbd5f103484907cb2a8e8725f586aad1d960b39bd667cdc0c1edba8383e8478295ae2787a2e76575