Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 23:56
Behavioral task
behavioral1
Sample
6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe
Resource
win7-20240221-en
General
-
Target
6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe
-
Size
1.1MB
-
MD5
6eee0d6154540a99d2c38ba0cb3e5660
-
SHA1
b042118ac4e5e528936a7a34cd45dd363920b33e
-
SHA256
de21ae85f34b2bd56bb96d560b674b2beb571faf4046aa87bc2ffa377cc85708
-
SHA512
5dc30e01dd4e32a695374237927fc8a44bfe84638ca63a8f3267823d20f8f734e8363a6929935d873cc6ac96ff9032752f96bf66eef63fbfb04651014513da0d
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZcnDPV:E5aIwC+Agr6S/FFC+LV
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1760-16-0x00000000029E0000-0x0000000002A09000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exepid process 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exedescription pid process Token: SeTcbPrivilege 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe Token: SeTcbPrivilege 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exepid process 1760 6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exedescription pid process target process PID 1760 wrote to memory of 516 1760 6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe PID 1760 wrote to memory of 516 1760 6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe PID 1760 wrote to memory of 516 1760 6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 516 wrote to memory of 5020 516 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 460 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe PID 4532 wrote to memory of 3436 4532 7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\6eee0d6154540a99d2c38ba0cb3e5660_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:5020
-
C:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:460
-
C:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\7eee0d7164640a99d2c39ba0cb3e6770_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56eee0d6154540a99d2c38ba0cb3e5660
SHA1b042118ac4e5e528936a7a34cd45dd363920b33e
SHA256de21ae85f34b2bd56bb96d560b674b2beb571faf4046aa87bc2ffa377cc85708
SHA5125dc30e01dd4e32a695374237927fc8a44bfe84638ca63a8f3267823d20f8f734e8363a6929935d873cc6ac96ff9032752f96bf66eef63fbfb04651014513da0d
-
Filesize
48KB
MD55af229182f0851ad7db4bb902da0380d
SHA1d133a7eef9b266701b1328825d221516a1f0b2f8
SHA256ea9a1817082365c0467733bc41346295278e2fd9138b7112828c7ac650f5c412
SHA512b997af768498da01bdde7f193a931e8a286d270f276cb88f79666299eaada014e28bc5b56da8a1c701b60c9241fbb50e77a196073c1c2d0addedcd15334127c9