d4ed979de791158ae25a98d7f4a36fe32411356aaa2a2809d57a31df6d23ee5a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d9af331f54162af9a1749c91e956860_NEIKI.exe
Size

1.5MB
MD5

6d9af331f54162af9a1749c91e956860
SHA1

801ffa97e78cd0c7114a913f0675c63e89df85c1
SHA256

d4ed979de791158ae25a98d7f4a36fe32411356aaa2a2809d57a31df6d23ee5a
SHA512

333726737640525a961083caa03deade71c6eaec2aa773ef95d1c708e36037fe7a245f63401bd2f5493609378e9d462b973646b86b38ad1a1e451db5a2384e26
SSDEEP

24576:noqBscXGNBl3YK93Le++CrM8JF4pU/A/iWK2loWxF7TrhDg8woOE9m/SE9hME9eg:ohlbR+eMP/ij2JxPZYkI5hLN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	6d9af331f54162af9a1749c91e956860_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile\isogg = "alrGady"	6d9af331f54162af9a1749c91e956860_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8	6d9af331f54162af9a1749c91e956860_NEIKI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\EditFlags = "65536"	6d9af331f54162af9a1749c91e956860_NEIKI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\EditFlags = "65536"	6d9af331f54162af9a1749c91e956860_NEIKI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\EditFlags = "65536"	6d9af331f54162af9a1749c91e956860_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ywsfile	6d9af331f54162af9a1749c91e956860_NEIKI.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	6d9af331f54162af9a1749c91e956860_NEIKI.exe
2024	6d9af331f54162af9a1749c91e956860_NEIKI.exe

C:\Users\Admin\AppData\Local\Temp\6d9af331f54162af9a1749c91e956860_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\6d9af331f54162af9a1749c91e956860_NEIKI.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-0-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download
memory/2024-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2024-3-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x0000000000400000-0x000000000078C000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads