0c4fd187f1ed90125c70e5d39664900d84c3dfe85e3401c8282f8b51ff19d3d1

General

Target

2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
Size

717KB
MD5

2d69aa1a205225f27dda27e59c0f1890
SHA1

3a3755dbd71428a0b094ab4ccef9a87365180e29
SHA256

0c4fd187f1ed90125c70e5d39664900d84c3dfe85e3401c8282f8b51ff19d3d1
SHA512

3af2086e3b80a5cd9039e005a104ff6dd0e37560cc599204003006e1092d5b14ccaf8d6148f09fe9b38381e1ec97d6525f78b94aebf01f320c71fdb599e0f7dd
SSDEEP

12288:2pR3MqWOKw7yWMJFLubMNfntcanU+SH7:iR84fmX8ItHnXI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2144	vuziioc.exe
2532	~DFA18D.tmp
776	ibsudoc.exe

Loads dropped DLL 3 IoCs

pid	Process
1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
2144	vuziioc.exe
2532	~DFA18D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe
776	ibsudoc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	~DFA18D.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2144	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	29
PID 1728 wrote to memory of 2144	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	29
PID 1728 wrote to memory of 2144	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	29
PID 1728 wrote to memory of 2144	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	29
PID 2144 wrote to memory of 2532	2144	vuziioc.exe	30
PID 2144 wrote to memory of 2532	2144	vuziioc.exe	30
PID 2144 wrote to memory of 2532	2144	vuziioc.exe	30
PID 2144 wrote to memory of 2532	2144	vuziioc.exe	30
PID 1728 wrote to memory of 2544	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	31
PID 1728 wrote to memory of 2544	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	31
PID 1728 wrote to memory of 2544	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	31
PID 1728 wrote to memory of 2544	1728	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	31
PID 2532 wrote to memory of 776	2532	~DFA18D.tmp	33
PID 2532 wrote to memory of 776	2532	~DFA18D.tmp	33
PID 2532 wrote to memory of 776	2532	~DFA18D.tmp	33
PID 2532 wrote to memory of 776	2532	~DFA18D.tmp	33

C:\Users\Admin\AppData\Local\Temp\2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\vuziioc.exe
  C:\Users\Admin\AppData\Local\Temp\vuziioc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\~DFA18D.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA18D.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\ibsudoc.exe
      "C:\Users\Admin\AppData\Local\Temp\ibsudoc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
289B

MD5
43ebfa4d990c781e55d810d40122aad9

SHA1
facb964611b151dbe0effa79ff04d86534076e4c

SHA256
e61571a4650b26d962d67308276b7462f2208dc685448441dd705213c52a04fc

SHA512
6e64dc3f0cc516f17df1f2ed9d5493f06c1b8e26b4491c5701225a962b5768ca8af7136feaa8965fc7e1556620d1a11686b549f2ac31bbb76b50f8dc2cd4171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
18d3df574160674118c5f6a61b81efe9

SHA1
a273e13fbb604816c5c1bc28a16b7482bc0c7e64

SHA256
9454c09db7942cc89277a3c85b91f292584209c642fffd1f01c2db6fa011e8ea

SHA512
48e13dbc18f2ba49568d4cf9379f24be53684a3a90454f34697641541e8453d4e38259c1ac0326a1cc15874ffea9995c1d5793dedc963be5f7550b23aeec5aad

Download Submit
\Users\Admin\AppData\Local\Temp\ibsudoc.exe

Filesize
404KB

MD5
2f64eb60faec2677822a386240a2754d

SHA1
28a76e14ea4e32478ffc97b9fd495600eda2fce9

SHA256
7979a8610c2c2f17c69e6c50d2269edc00532b4fff4e306c3cdf5e6c296dd496

SHA512
36c59f1e330a3243499f55dce96bf58c5f4738d0efecb277ba61293883a8e95ffd62a61db84257c6c9957cd4dc3584cf425f306560b2d6064e89976cfab02a4f

Download Submit
\Users\Admin\AppData\Local\Temp\vuziioc.exe

Filesize
724KB

MD5
87af641632030e477c6c292d7d13cf29

SHA1
16bbf04ef0df0abf65b333861e2055118c89435c

SHA256
64fce6be67dc127bdc284295e9525adcb09e19316bab9cfbe438ddf3e2ae5f0c

SHA512
efeb406f7c540ec040ad7ce48893f667328a619a9233cbefa5a8aac1e3eee30eb6e9931bad5e24ff14e1329bb49f199264aad92cf0390992ef4193f581bfba06

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA18D.tmp

Filesize
731KB

MD5
e524503e4020b22d84373ba32fd4cebb

SHA1
400ef22934f9f4ddb12248c7f50a01c5e6411d7f

SHA256
86b3b5accdc7a75de77d3c6961794012e991a11681f80f2e15811e6f6957c940

SHA512
d516f071e449af49eeba06966e0c22259d6369d60155a4584344d9e61a1588ddf8b07adf14526f1a7c6156ced37f9e1291206d51fba07817b06f7b3873645425

Download Submit
memory/776-46-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/776-43-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1728-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1728-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1728-28-0x0000000001D20000-0x0000000001DFF000-memory.dmp

Filesize
892KB

Download
memory/1728-7-0x0000000001D20000-0x0000000001DFF000-memory.dmp

Filesize
892KB

Download
memory/2144-30-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2532-31-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2532-40-0x0000000003BA0000-0x0000000003CDE000-memory.dmp

Filesize
1.2MB

Download
memory/2532-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2532-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing