Overview

overview

10

Static

static

3

14e1525bc3...KI.exe

windows7-x64

10

14e1525bc3...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 19:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    14e1525bc3cba82fc80787e5c1e3f1f0_NEIKI.exe

  • Size

    170KB

  • MD5

    14e1525bc3cba82fc80787e5c1e3f1f0

  • SHA1

    70dd3d32eee03ee82784f5a72441d906ad6ce987

  • SHA256

    4feac6ffa91c9e1d5497471e45b8db6c7cc2736649c561a8b7a1d43a3d2fd9ec

  • SHA512

    5a28da14b68a973b8bf98fe0dd7e96fe8cab7c98b7d3a0a9df7ba5738cdca3cc2255890619453d9d5e97b1251eee357f8364836492f8fcd3bf78b69f9328bc1a

  • SSDEEP

    3072:iCcKpzOpm3uKQCDWeyDKVPy7THK4WZZzUR9Lr0lQbX:j7zOSuccuVqfp2+SW

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 12 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 42 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14e1525bc3cba82fc80787e5c1e3f1f0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\14e1525bc3cba82fc80787e5c1e3f1f0_NEIKI.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
      "C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2588
    • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
      "C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2088
    • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2584
    • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
      "C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2744
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2052

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        3
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\EJS4O5M.exe
          Filesize

          170KB

          MD5

          7509fe32e846ee3028529f4d96f9cd73

          SHA1

          567e5c3685d8977f45e3509ad44a0823c95b7ede

          SHA256

          7a4a58ca202010655a92ba71e96f0b48f96f633de8a04957fcb728080711c514

          SHA512

          9ae6ffc2142b0aa0a9ed4c9a344aae073fa3ac49f48ce9832e879db68823fe4cc34ba533230cfa123bcfc89f83a0039278367b1eb3c3de7c5458ce2d99a13657

          Download Submit

        • C:\Windows\EJS4O5M.exe
          Filesize

          170KB

          MD5

          4372e7131ea166cfc11650e7c855e58e

          SHA1

          bc7804303efa0aeb1b437d4af1d597bd38b0926e

          SHA256

          0e1cf9d02cb0f9cbfab3f9ec94d8f044c59e5b7eb2bda0c183ebd5fff330f304

          SHA512

          775f5a091b9cab058672440ad71e73956a666f843384ff43c0bb4739d09415d6eeabc87ca4861c9ec28d17d6b149e69b9ba34a46dfea27c5c83bd90ad54c3151

          Download Submit

        • C:\Windows\SysWOW64\IDY6I2DEJS4O5M.exe
          Filesize

          170KB

          MD5

          ab4a48adf06a6ac73c858e64b480f6fa

          SHA1

          1c69b7e68f0f218ab9655aa3b571ceefb3457315

          SHA256

          82a29d244925f13a8d53b3608a25816a2bf6f7772001b5d3534cd9a4c9859ffa

          SHA512

          63fe6037c4e4dc3b4ec42be88f6c0203bd2ad7fb97836830f9c96f872d4d4589c89e398270dc9127c97464ee759370cf0f9c83205b64799d935d40ba135a0314

          Download Submit

        • C:\Windows\SysWOW64\IDY6I2DEJS4O5M.exe
          Filesize

          170KB

          MD5

          8db493666ec5bb8d180f8ce8d7356877

          SHA1

          1363df240b77688eabd4196df2fdef74dac4c52d

          SHA256

          c9aa7f1ad5ee014d12fb7505d9cbe59557d59a5b026432ce92f7d67f8a105add

          SHA512

          bdec3fadbe04f7ed44a3dc85b9ed91f410cc3246f42a2a2e2b43c70295296c85069c8f3e4ff98bb8104078b05ed004d13499bcbf696bebd5efb027d753070731

          Download Submit

        • C:\Windows\SysWOW64\ONR1W0J.exe
          Filesize

          170KB

          MD5

          b7af4ff7aa513d5d6c95bab004530961

          SHA1

          c8ae8a08e0fc70a7ef932f82484a30a49bc836c6

          SHA256

          1d7868b7b6b93f0b79c9ad944b29792ddc22a0aa68600b50cb63fcdcf045501e

          SHA512

          d17c90a7107182424a99196567320c5b2e2da8a31a704cef353d7564a0b3d2e664516332ce1faf134c16492a4d514eb0b08f9bc52de8901b201ee1db9d7dc4db

          Download Submit

        • C:\Windows\SysWOW64\ONR1W0J.exe
          Filesize

          170KB

          MD5

          7d85a64a90a52b2bce7d9e15518d3d5f

          SHA1

          0be9cc127da8ec4b57c33bc393ad48205185dab7

          SHA256

          0846fb9263beafa91faebe629426bf069f57e4d64ba88d1dedaec3b5f07f745d

          SHA512

          91295809116a93f03967a05ef4c8e2545a51aee813b207caf261bbeca849550249adc8b71ad16ec0811bdf9e23fbe64b32302fb82928b128fafd2436be045093

          Download Submit

        • C:\Windows\SysWOW64\systear.dll
          Filesize

          141B

          MD5

          266899dd622ed06660a47961fbdb61c2

          SHA1

          97a35ed0535a930b440b36cdb78dbc56896a0753

          SHA256

          2d00c4225c49722f6dae945a68935b47fa804af46b5c27440fd34754d83149d4

          SHA512

          a8b57144834660c467ce838783d057451ef4ca6220b2f4ce370f1fdab4c2e60429e880eba0b78ead5e5b8b7c02f6f5fa62209d767d43a4a573eae85c6da23f6a

          Download Submit

        • C:\Windows\SysWOW64\systear.dll
          Filesize

          127B

          MD5

          a1262696d27dd14bd723378d8ec57ebc

          SHA1

          576bb5d14f8e3ae188599a17cc46c64dda3adf97

          SHA256

          b4487b61e3a064848aa722a6138c47ad1ee3edcc7b52905411ee8646c61b6d06

          SHA512

          de6af8ce0d1eb1c3c125dc664bf784cb8de970a2370a99128d6c272c80979029c10f14e49938170f77b3052543135bf4be9bae0d99329a9a4674fdd6d4e0c113

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\TWT1X8Q.com
          Filesize

          170KB

          MD5

          1b02d7aa1a076704a11735c473ee7ad9

          SHA1

          30bc48322146b760c58abae5067cc388a234aaa9

          SHA256

          e785ebc464814333fa8dd288866d84e11776084054c2cc3762ebaa035f118ae9

          SHA512

          f92eed47854d2442df599a03d37b4a6e50231b221f5c97676ba8b2fce2fbd1c710d7698d4064e9bd815d37965db3450ff8b169a7f2c2d5a50ca51674b9d7729e

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
          Filesize

          170KB

          MD5

          d90713d83a5b85419542c7fce26465e1

          SHA1

          6925882bd8d86c44e4b54261d1b81daa823f3e36

          SHA256

          b193448f9780057ca5837331d6059ef6cd03b4f86e1ad50b6544b7bc38bbd0e7

          SHA512

          e87519e4c652808f00b7f2f8be6cfcb233f7705cb845c13e2a4d521acda0b9eb038c75ef6c9a27ce79a8333f27979fbf3099771778fefabd1816ddb313545bc8

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
          Filesize

          170KB

          MD5

          b9c359e74c044fe6a6a469bd140e95f8

          SHA1

          89c23bcbca857bf6a249660e93433a501264b346

          SHA256

          5ba4d3ef4fe25bd254d289d5ed24cf20d266876e60d827e9c3899de217fd26b8

          SHA512

          cee2731aebd87e437375ffb1b6979131596371269b8ebc80407cf8c132eb7e73e501bd6688de874a20eb2d0b1c7aabc61c51ae37a8186e4d2eefc295b2ab54dc

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
          Filesize

          170KB

          MD5

          9a0973fff0bf086a40eb8f10d1b0dfcc

          SHA1

          513e63c7337e4b278c5f6a6368431d4bbd1e8f83

          SHA256

          7c1b977100d32a84f798a5a2f404a46be24e9f3cb95728b607758d2b7985600a

          SHA512

          3b3476f5fc06aebea634da75f949cb635da3d117ececd42c4d5303b3fb2f3a34b0f19a054321007f8cbb10e87470c696dd22d1849141e2ee0b2ade47b6d32249

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
          Filesize

          170KB

          MD5

          9f1eb6f3fbc8b0a6d1d274116a6cf78e

          SHA1

          061c6481e75f9af33c7b47cc2c2c77ea70d0efa1

          SHA256

          fbc7239cb3e698eb3f7b8ff7b7bd7e07f25ee5c24729c76429d8e9034cce9ce4

          SHA512

          080f1e50f161a7d107ed67a0b90624eb11d0cb88d1ba50e2d14d2dece13184c9edd1110b37eebe159dce7b5c568fcdb430291fd5d9efcdab027f7d2179bb8c78

          Download Submit

        • C:\Windows\UCI7K0V.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
          Filesize

          170KB

          MD5

          148afedee2778a78f1d738813f4e9aae

          SHA1

          b953dbc2437a3bdb2e9346c180c3d0d04b83c15e

          SHA256

          28dc91b89a3ab7ea8ffc5b684f470fdfbab715cf28272f1df6e75f5775ca59e3

          SHA512

          cd9d58d87b1073707c915b56aefb7816a77b874917b9a65b234d8b20eba025c76f30caba032c5d58c36d26b786adab6c878ce39ed41c781f90e59418daf6df95

          Download Submit

        • C:\Windows\WYL1T3C.exe
          Filesize

          170KB

          MD5

          da5abda4c9cf6e35bf4fe3a7382ad8fe

          SHA1

          d75fdbd74ffb8673731024cd35aef321538e629d

          SHA256

          96bee6a0263fbcb5890b94c67db9f201f8e6ef20b7cfbf2e9429e8d959d9284b

          SHA512

          0c5b178b30fc55414d23024d639d0b63149c7c02cab8bf95850845ff0bd41dea4eca5658b97ea1f6fd2821ec5914db441fe737d353176161cb48e4dcf7a26e67

          Download Submit

        • C:\Windows\WYL1T3C.exe
          Filesize

          170KB

          MD5

          14e1525bc3cba82fc80787e5c1e3f1f0

          SHA1

          70dd3d32eee03ee82784f5a72441d906ad6ce987

          SHA256

          4feac6ffa91c9e1d5497471e45b8db6c7cc2736649c561a8b7a1d43a3d2fd9ec

          SHA512

          5a28da14b68a973b8bf98fe0dd7e96fe8cab7c98b7d3a0a9df7ba5738cdca3cc2255890619453d9d5e97b1251eee357f8364836492f8fcd3bf78b69f9328bc1a

          Download Submit

        • C:\Windows\cypreg.dll
          Filesize

          417KB

          MD5

          eb02402da03ef2ad37b53e84f782f33b

          SHA1

          61e63088db131333536aa27f7942a2c692ebe374

          SHA256

          a4e76d71d90e815178b12f41a0bcd951fbf1f17855104148426a6baff9f35273

          SHA512

          848e89369de2a299374a0424aca268218bd0a9be9ccf174e08b2949c65677ee35532b837bb474e5bbf28e17af3c2d52f124673bceedb92dc284f33b6cd01f6c1

          Download Submit

        • C:\Windows\lsass.exe
          Filesize

          170KB

          MD5

          70b3370878b90b7bf5e409c5c1fabe91

          SHA1

          d0868c0765b66690b65ae15ab4b4894cd3ec9cfd

          SHA256

          9d9ff6282083693ff852b50d8ce317e67d30226a8f10a799a73359afd1d72c7d

          SHA512

          8c9dc01b9c26ea4a258d222ef6a99f2703ae2820cfd186d07a99e94b1fb10ca5cbe21bcc0f31205802e9e6f2cb22a538fb2e2388c42c6851ac627ae9597deb1e

          Download Submit

        • C:\Windows\lsass.exe
          Filesize

          170KB

          MD5

          26c3e62b5bd1c7cf199a9de9958b503b

          SHA1

          8b2236f852a1227dca451c05f24744c27fb955b0

          SHA256

          a8170b259d69af072e520dd0079d15cac39e3e543ec3576772929d62e1f49aa9

          SHA512

          c6ffb7db277b3c8e69ce8f6e9f23f88dd9eb509095e35928b2e6d0c83d18f46d58a47d554d27ae3f01372ae5fd5a9407d2d9920920e5d06461574d4dd0778041

          Download Submit

        • C:\Windows\moonlight.dll
          Filesize

          65KB

          MD5

          c55534452c57efa04f4109310f71ccca

          SHA1

          b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

          SHA256

          4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

          SHA512

          ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

          Download Submit

        • C:\Windows\onceinabluemoon.mid
          Filesize

          8KB

          MD5

          0e528d000aad58b255c1cf8fd0bb1089

          SHA1

          2445d2cc0921aea9ae53b8920d048d6537940ec6

          SHA256

          c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

          SHA512

          89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

          Download Submit

        • C:\Windows\system\msvbvm60.dll
          Filesize

          1.3MB

          MD5

          23d20fc9831ebc461826788cea9af7a8

          SHA1

          55c817767bbe46e80003806501368d5b9310bfdf

          SHA256

          fd70d888b164e9545c7faf0955b9d03ae246e2597953978936a41ec0cf6f0260

          SHA512

          9ee8470991f875f11f7aa6a1a5b5dfdffb3640caab60917f6de51eef028c9af141fc6ed50e2304c6cb2e395f822710271a16d9bc19fe1bb77ec44f7f4147bd40

          Download Submit

        • memory/2052-206-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-307-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-295-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-301-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-253-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-319-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2052-313-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2088-65-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2088-241-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2352-62-0x0000000002970000-0x00000000029C8000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2352-47-0x00000000002E0000-0x00000000002F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2352-89-0x0000000002970000-0x00000000029C8000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2352-0-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2352-203-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-242-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-276-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-243-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2584-260-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-310-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-79-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-265-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2584-264-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2584-245-0x0000000010000000-0x0000000010075000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2588-233-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2588-64-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-284-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-272-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-244-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-117-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-266-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-312-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2744-261-0x0000000000400000-0x0000000000458000-memory.dmp

          Filesize

          352KB

          Download