9dcad7b88a093d4d4caa7511b1dbe2835e8fd6b6d8902ba374a6a0b8a36a5437

Analysis

max time kernel
145s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 22:15

Target

746cf852ea283a422e74f515f9addfc0_NEIKI.exe
Size

84KB
MD5

746cf852ea283a422e74f515f9addfc0
SHA1

811acd1de1715d2afceb53fb1de486e0f7d8a49f
SHA256

9dcad7b88a093d4d4caa7511b1dbe2835e8fd6b6d8902ba374a6a0b8a36a5437
SHA512

31a3eb58ce6264c01826435c915456bb8906e72c76bc330a7e2fc4ce79183a76ade08dbcbc07e5fb4e21ba6e24cc1e11441e12880283dd72b68dd84be610a034
SSDEEP

1536:0MQw9gp8PL5QsOZa9sEpT8t/jnYMRtM9S3:tQgPL5fR9sEpTmT

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2260	serizay.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	746cf852ea283a422e74f515f9addfc0_NEIKI.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000CA0000-0x0000000000CB5000-memory.dmp	upx
behavioral1/files/0x000c000000014c67-3.dat	upx
behavioral1/memory/3036-5-0x00000000009E0000-0x00000000009F5000-memory.dmp	upx
behavioral1/memory/3036-8-0x0000000000CA0000-0x0000000000CB5000-memory.dmp	upx
behavioral1/memory/2260-9-0x00000000009E0000-0x00000000009F5000-memory.dmp	upx
behavioral1/memory/2260-12-0x00000000009E0000-0x00000000009F5000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2260	3036	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	28
PID 3036 wrote to memory of 2260	3036	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	28
PID 3036 wrote to memory of 2260	3036	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	28
PID 3036 wrote to memory of 2260	3036	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	28

C:\Users\Admin\AppData\Local\Temp\746cf852ea283a422e74f515f9addfc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\746cf852ea283a422e74f515f9addfc0_NEIKI.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\serizay.exe
  C:\Users\Admin\AppData\Local\Temp\serizay.exe
  2⤵
  - Executes dropped EXE
  PID:2260

\Users\Admin\AppData\Local\Temp\serizay.exe

Filesize
84KB

MD5
6e9d18f9b775b940884b3bc14d5c90aa

SHA1
83dda80a75279b34fccdc81b9041e0486face067

SHA256
1bc6ab285d0c68b9050dd581c7a5cf50be820930f7d920188a80dffceaa7d34d

SHA512
cd6a38d53541e4f8646ec0e42f23420c80a73ac19ebdf65e8b0bc16c43ef248f6c8ecac432e75593af62f0ce128191544f6a2fc4f6fbb386ead4df4453f01a5e

Download Submit
memory/2260-9-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/2260-11-0x00000000009E1000-0x00000000009E3000-memory.dmp

Filesize
8KB

Download
memory/2260-12-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/3036-0-0x0000000000CA0000-0x0000000000CB5000-memory.dmp

Filesize
84KB

Download
memory/3036-1-0x0000000000CA1000-0x0000000000CA3000-memory.dmp

Filesize
8KB

Download
memory/3036-5-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/3036-8-0x0000000000CA0000-0x0000000000CB5000-memory.dmp

Filesize
84KB

Download