0c4fd187f1ed90125c70e5d39664900d84c3dfe85e3401c8282f8b51ff19d3d1

General

Target

2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
Size

717KB
MD5

2d69aa1a205225f27dda27e59c0f1890
SHA1

3a3755dbd71428a0b094ab4ccef9a87365180e29
SHA256

0c4fd187f1ed90125c70e5d39664900d84c3dfe85e3401c8282f8b51ff19d3d1
SHA512

3af2086e3b80a5cd9039e005a104ff6dd0e37560cc599204003006e1092d5b14ccaf8d6148f09fe9b38381e1ec97d6525f78b94aebf01f320c71fdb599e0f7dd
SSDEEP

12288:2pR3MqWOKw7yWMJFLubMNfntcanU+SH7:iR84fmX8ItHnXI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	~DFA255.tmp

Executes dropped EXE 3 IoCs

pid	Process
4368	niymioq.exe
4608	~DFA255.tmp
2704	kufidoq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe
2704	kufidoq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	~DFA255.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 4368	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	83
PID 4092 wrote to memory of 4368	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	83
PID 4092 wrote to memory of 4368	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	83
PID 4368 wrote to memory of 4608	4368	niymioq.exe	85
PID 4368 wrote to memory of 4608	4368	niymioq.exe	85
PID 4368 wrote to memory of 4608	4368	niymioq.exe	85
PID 4092 wrote to memory of 1156	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	86
PID 4092 wrote to memory of 1156	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	86
PID 4092 wrote to memory of 1156	4092	2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe	86
PID 4608 wrote to memory of 2704	4608	~DFA255.tmp	103
PID 4608 wrote to memory of 2704	4608	~DFA255.tmp	103
PID 4608 wrote to memory of 2704	4608	~DFA255.tmp	103

C:\Users\Admin\AppData\Local\Temp\2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2d69aa1a205225f27dda27e59c0f1890_NEIKI.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\niymioq.exe
  C:\Users\Admin\AppData\Local\Temp\niymioq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\kufidoq.exe
      "C:\Users\Admin\AppData\Local\Temp\kufidoq.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
289B

MD5
43ebfa4d990c781e55d810d40122aad9

SHA1
facb964611b151dbe0effa79ff04d86534076e4c

SHA256
e61571a4650b26d962d67308276b7462f2208dc685448441dd705213c52a04fc

SHA512
6e64dc3f0cc516f17df1f2ed9d5493f06c1b8e26b4491c5701225a962b5768ca8af7136feaa8965fc7e1556620d1a11686b549f2ac31bbb76b50f8dc2cd4171a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
7292c66ec7809a17a6e9741006ce600a

SHA1
3b58def8983c7c4a578a1eb9f75529cb9acbd187

SHA256
ee8cbc78d4ccf7554f41d53741d5e67fc858f283468e9db6f5d13378121abf2e

SHA512
0a6e08b8459f9c76758cee5f3a6226b917f0c55c0233017f079878feb9994d108cf396f5821d480b46a2e0818c2f450fd4a73eca649f88e537af295e52d96592

Download Submit
C:\Users\Admin\AppData\Local\Temp\kufidoq.exe

Filesize
393KB

MD5
8d12ed32719c1ea3510f818766d7459f

SHA1
890eed05f362cb06edd58c579396e1abf5466570

SHA256
4f5b6edf44520101919216e6990295a3f5bfb3f5226c08abc84b14c29a36fe88

SHA512
72c65ae31c09ca46d453380d0b134e9e76e6c67f49b00281eb0ac12775bf03db7cbbb8090ba8c9eb2149b63fb3ecfde2c85f154eddccfc54851d69b0879d671f

Download Submit
C:\Users\Admin\AppData\Local\Temp\niymioq.exe

Filesize
724KB

MD5
52644d83dbcfa617060b9720868cf531

SHA1
8e9bc6c5f5ce261d4e0ac5affeae860bffb3feb3

SHA256
08f43f5275b666b980aba055db2b8c8f0494b665f1e51fe52d867a202bd1f8bf

SHA512
e1b775f4974e4c2805b65e14b04f26b671b1e38a7826af41741b86e223663604fab44d3ae6149664ec3ce2f28178808d7ac79d5c11d19fffaa91e029ca8aea6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA255.tmp

Filesize
731KB

MD5
0c44a29e178391c1042b867a656b188e

SHA1
5e33b7a83ecea9816ef4e0ef267f4d8c85a6692a

SHA256
57615ff587cb9262bd479e94f0a2686811d4073116a27e5e333fa2f1610141e3

SHA512
d1850d75b70a91c88f3dcdfe3f171bf6325ace49b90258105b34f1ad86495305dfe6d7c8e70c39be9ebd454aa6ba0a1ecaa2f2374ff4f7f314ce0dd5d3257091

Download Submit
memory/2704-37-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2704-38-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2704-41-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2704-44-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/4092-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4092-0-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4368-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4368-9-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4608-21-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4608-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing