030cc9667ec24e71010a90d491342807b31243b1b674ff7a9aba6e04831e17e6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4128794041926576f20ed833da5e9c80_NEIKI.exe
Size

40KB
MD5

4128794041926576f20ed833da5e9c80
SHA1

47bbb92f1e9d4d8c6c1d4afcf147f9a0fa25f2cc
SHA256

030cc9667ec24e71010a90d491342807b31243b1b674ff7a9aba6e04831e17e6
SHA512

8277d8a89124c410e83ad892cc93de91815090ec7bed2b7f1a5d9722665e08ceedd6ef5912ec986ed2207592abd44732470ca767495cbe0e8f4fe3d4af8ee50f
SSDEEP

768:tzmfIz1Xa3jZr/t3R6OpY9x0dHXOHk3CCecGH9C/vc:tfzGbB6IY9x6w4RCsvc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4128794041926576f20ed833da5e9c80_NEIKI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Admin.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	Admin.exe

Loads dropped DLL 2 IoCs

pid	Process
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	4128794041926576f20ed833da5e9c80_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe"	Admin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	4128794041926576f20ed833da5e9c80_NEIKI.exe
1724	Admin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1724	2008	4128794041926576f20ed833da5e9c80_NEIKI.exe	28
PID 2008 wrote to memory of 1724	2008	4128794041926576f20ed833da5e9c80_NEIKI.exe	28
PID 2008 wrote to memory of 1724	2008	4128794041926576f20ed833da5e9c80_NEIKI.exe	28
PID 2008 wrote to memory of 1724	2008	4128794041926576f20ed833da5e9c80_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\4128794041926576f20ed833da5e9c80_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\4128794041926576f20ed833da5e9c80_NEIKI.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\Admin.exe
  "C:\Users\Admin\Admin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Admin.exe

Filesize
40KB

MD5
b9c6c5db708f93497c13f357c30f6ff7

SHA1
c8d9932f07da8f98f6046f70e084c50bfa7e3e98

SHA256
4b166944b8ec8b6fc0de229ac555bc00aae69cca12e1cf47ab969d29aba8761c

SHA512
1af64c5a8d5774b18ca766cf2ff9c49d50472dc8c7432711c7435750e3ef912e464ac80c81e63d6d32cea9057a1fd9c3c3fe39962d5ffa26049d7304aa03173c

Download Submit