1fe5564bec9137822736dd74df249ea923817cf2f6a514b3ba5f9405c48ea7c1

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
Size

5.0MB
MD5

30c96aa8b1fd104a86120b6c77acf810
SHA1

ecb6e779626f42c37de7532752b30378bb24624f
SHA256

1fe5564bec9137822736dd74df249ea923817cf2f6a514b3ba5f9405c48ea7c1
SHA512

1d0711b9d2b345c452acd970569efe826af93baaaac652845f23eeed8f879d294db79eed17946fa3b7b9ebf9be2a1ee06b3741a6705e3eb7e62ed60a10347bc5
SSDEEP

98304:77/VoFtaEkQQQAEXytvZi8eue8RQQW1SjPI5VZhQQAEXytvZi8eue8:77/VoFtaEkQpOfpPChpO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1740	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Loads dropped DLL 1 IoCs

pid	Process
2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1740	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1740	2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	29
PID 2176 wrote to memory of 1740	2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	29
PID 2176 wrote to memory of 1740	2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	29
PID 2176 wrote to memory of 1740	2176	30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe	29

C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
  C:\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\30c96aa8b1fd104a86120b6c77acf810_NEIKI.exe

Filesize
5.0MB

MD5
21ac9898bfe38549267c5ee7125b4e92

SHA1
e4e16b5bd664114642b3a36a011a309358789145

SHA256
e2e24a17f356993a24fd283efa1a51ddf51d854f690ad387b27003304e5e6fe9

SHA512
06f7195ea6f1c77f8f34ea4554f86b6e8836439be71eb721538ce94240e55bab799b0d81c66b400e728657b1f44ece05f1e1b80b6b16116199f356cbefd0b075

Download Submit
memory/1740-10-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1740-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1740-17-0x0000000002EA0000-0x0000000002F91000-memory.dmp

Filesize
964KB

Download
memory/1740-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1740-39-0x000000000D770000-0x000000000D813000-memory.dmp

Filesize
652KB

Download
memory/2176-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2176-6-0x00000000033F0000-0x00000000034E1000-memory.dmp

Filesize
964KB

Download
memory/2176-9-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download