2a9eea315eeeb6558e0f58d5a95661b3722e33d1368968eca226ff980450dd36

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
Size

95KB
MD5

8d6b9e4f8be7ff79d3fe7c18a49dd3b0
SHA1

d1dac41341a05b7abb3ebcadf63c02e4cd74ba72
SHA256

2a9eea315eeeb6558e0f58d5a95661b3722e33d1368968eca226ff980450dd36
SHA512

c878b64f19fc28ffc1eb10f766e2be205f249d0379711c221f60a5e74a137851c65b1955f4f04ebb34e504deaf005c0e4f5c13a8feda97a97da545784dcdf7ed
SSDEEP

768:3/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJi+vBU6u7DPQ1TTGfGYc+pe:3RsvcdcQjosnvng6uQ1Jx

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
2524	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe
2524	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2524	628	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe	88
PID 628 wrote to memory of 2524	628	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe	88
PID 628 wrote to memory of 2524	628	8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe	88

C:\Users\Admin\AppData\Local\Temp\8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\8d6b9e4f8be7ff79d3fe7c18a49dd3b0_NEIKI.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
95KB

MD5
096c8f83821fab19b7d06c33186ee217

SHA1
5e9c8135d7cd29abc4e0cb6a000e8bcd34303709

SHA256
06fd77e891626e271a0ab6a5a2831e354290937868e1257aa83d7b0eb766ff3d

SHA512
95ec015df3ba12c3fa46d7d457e6e9aa0c335b88f1e6ef23e94ee854bbceb8fd1ede5bf5204e57d10a04a501a4bb31634aea6707a59a17cf254d6f935d2d3bc1

Download Submit
memory/628-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/628-11-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2524-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download