Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 23:04
Static task
static1
Behavioral task
behavioral1
Sample
8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
-
Size
95KB
-
MD5
8d6b9e4f8be7ff79d3fe7c18a49dd3b0
-
SHA1
d1dac41341a05b7abb3ebcadf63c02e4cd74ba72
-
SHA256
2a9eea315eeeb6558e0f58d5a95661b3722e33d1368968eca226ff980450dd36
-
SHA512
c878b64f19fc28ffc1eb10f766e2be205f249d0379711c221f60a5e74a137851c65b1955f4f04ebb34e504deaf005c0e4f5c13a8feda97a97da545784dcdf7ed
-
SSDEEP
768:3/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJi+vBU6u7DPQ1TTGfGYc+pe:3RsvcdcQjosnvng6uQ1Jx
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2844 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe 2844 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2844 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe 28 PID 2744 wrote to memory of 2844 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe 28 PID 2744 wrote to memory of 2844 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe 28 PID 2744 wrote to memory of 2844 2744 8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD57beab78b6a55208997b5bcb72ae0d580
SHA1334e35b41418d7a2609c3d692b3be6d84935cfd5
SHA2564117c88aab110031fb3de1f471d7ca57a2af46ad43f93fece839021689191cc4
SHA512ebee16cf6fdac7f49fa1a48dc9f45a4e3036af32f48c02ce59f08b59858013e9b7d623de1c2b47c228f0574c3dfc66a7970f2ab3f4d3936ba15569781f6b05a7