9dcad7b88a093d4d4caa7511b1dbe2835e8fd6b6d8902ba374a6a0b8a36a5437

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 22:15

Target

746cf852ea283a422e74f515f9addfc0_NEIKI.exe
Size

84KB
MD5

746cf852ea283a422e74f515f9addfc0
SHA1

811acd1de1715d2afceb53fb1de486e0f7d8a49f
SHA256

9dcad7b88a093d4d4caa7511b1dbe2835e8fd6b6d8902ba374a6a0b8a36a5437
SHA512

31a3eb58ce6264c01826435c915456bb8906e72c76bc330a7e2fc4ce79183a76ade08dbcbc07e5fb4e21ba6e24cc1e11441e12880283dd72b68dd84be610a034
SSDEEP

1536:0MQw9gp8PL5QsOZa9sEpT8t/jnYMRtM9S3:tQgPL5fR9sEpTmT

Score

7^/10

upx

Executes dropped EXE 1 IoCs

pid	Process
2784	serizay.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1184-0-0x0000000000240000-0x0000000000255000-memory.dmp	upx
behavioral2/files/0x000800000002325a-4.dat	upx
behavioral2/memory/2784-5-0x0000000000F60000-0x0000000000F75000-memory.dmp	upx
behavioral2/memory/1184-8-0x0000000000240000-0x0000000000255000-memory.dmp	upx
behavioral2/memory/2784-9-0x0000000000F60000-0x0000000000F75000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	checkip.dyndns.org

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2784	1184	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	90
PID 1184 wrote to memory of 2784	1184	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	90
PID 1184 wrote to memory of 2784	1184	746cf852ea283a422e74f515f9addfc0_NEIKI.exe	90

C:\Users\Admin\AppData\Local\Temp\746cf852ea283a422e74f515f9addfc0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\746cf852ea283a422e74f515f9addfc0_NEIKI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\serizay.exe
  C:\Users\Admin\AppData\Local\Temp\serizay.exe
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3108 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\serizay.exe

Filesize
84KB

MD5
6e9d18f9b775b940884b3bc14d5c90aa

SHA1
83dda80a75279b34fccdc81b9041e0486face067

SHA256
1bc6ab285d0c68b9050dd581c7a5cf50be820930f7d920188a80dffceaa7d34d

SHA512
cd6a38d53541e4f8646ec0e42f23420c80a73ac19ebdf65e8b0bc16c43ef248f6c8ecac432e75593af62f0ce128191544f6a2fc4f6fbb386ead4df4453f01a5e

Download Submit
memory/1184-0-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/1184-1-0x0000000000241000-0x0000000000243000-memory.dmp

Filesize
8KB

Download
memory/1184-8-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/2784-5-0x0000000000F60000-0x0000000000F75000-memory.dmp

Filesize
84KB

Download
memory/2784-7-0x0000000000F61000-0x0000000000F63000-memory.dmp

Filesize
8KB

Download
memory/2784-9-0x0000000000F60000-0x0000000000F75000-memory.dmp

Filesize
84KB

Download