Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
-
Size
397KB
-
MD5
8c2ab7d7bd20f8a8b92dbe5779ac4320
-
SHA1
65c75835b540175d33ab67583f98626711de74e5
-
SHA256
79d309dcae873685245924766520ef95497e9f4054d9a6540bb0acec36c993ca
-
SHA512
4a35b2dedb9d391d9cac9952c3526abec496b8215040237bc10f745e769159b44512a7c1d72d07e2b944e97d48247003fc83f22ae2c398fa34662c87f3075195
-
SSDEEP
12288:vdDU6g13sJd1fm/+yb3O2jg82ydU/DdKumy:vdE3sJd1fm/+yb3OYg84/JHJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2528 pytgpksek.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 pytgpksek.exe 2628 yqqlaqtv.exe -
Loads dropped DLL 7 IoCs
pid Process 2268 cmd.exe 2268 cmd.exe 2528 pytgpksek.exe 2628 yqqlaqtv.exe 2628 yqqlaqtv.exe 2628 yqqlaqtv.exe 2628 yqqlaqtv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\VIEW = "c:\\Program Files\\qckno\\yqqlaqtv.exe \"c:\\Program Files\\qckno\\yqqlaqtv.dll\",Viewer" yqqlaqtv.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: yqqlaqtv.exe File opened (read-only) \??\v: yqqlaqtv.exe File opened (read-only) \??\x: yqqlaqtv.exe File opened (read-only) \??\e: yqqlaqtv.exe File opened (read-only) \??\h: yqqlaqtv.exe File opened (read-only) \??\j: yqqlaqtv.exe File opened (read-only) \??\o: yqqlaqtv.exe File opened (read-only) \??\r: yqqlaqtv.exe File opened (read-only) \??\b: yqqlaqtv.exe File opened (read-only) \??\g: yqqlaqtv.exe File opened (read-only) \??\l: yqqlaqtv.exe File opened (read-only) \??\t: yqqlaqtv.exe File opened (read-only) \??\w: yqqlaqtv.exe File opened (read-only) \??\y: yqqlaqtv.exe File opened (read-only) \??\z: yqqlaqtv.exe File opened (read-only) \??\a: yqqlaqtv.exe File opened (read-only) \??\k: yqqlaqtv.exe File opened (read-only) \??\q: yqqlaqtv.exe File opened (read-only) \??\s: yqqlaqtv.exe File opened (read-only) \??\u: yqqlaqtv.exe File opened (read-only) \??\i: yqqlaqtv.exe File opened (read-only) \??\m: yqqlaqtv.exe File opened (read-only) \??\p: yqqlaqtv.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 yqqlaqtv.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\qckno pytgpksek.exe File created \??\c:\Program Files\qckno\yqqlaqtv.dll pytgpksek.exe File created \??\c:\Program Files\qckno\yqqlaqtv.exe pytgpksek.exe File opened for modification \??\c:\Program Files\qckno\yqqlaqtv.exe pytgpksek.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString yqqlaqtv.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 yqqlaqtv.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2904 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2628 yqqlaqtv.exe 2628 yqqlaqtv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2628 yqqlaqtv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2908 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 2528 pytgpksek.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2268 2908 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 28 PID 2908 wrote to memory of 2268 2908 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 28 PID 2908 wrote to memory of 2268 2908 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 28 PID 2908 wrote to memory of 2268 2908 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 28 PID 2268 wrote to memory of 2904 2268 cmd.exe 30 PID 2268 wrote to memory of 2904 2268 cmd.exe 30 PID 2268 wrote to memory of 2904 2268 cmd.exe 30 PID 2268 wrote to memory of 2904 2268 cmd.exe 30 PID 2268 wrote to memory of 2528 2268 cmd.exe 31 PID 2268 wrote to memory of 2528 2268 cmd.exe 31 PID 2268 wrote to memory of 2528 2268 cmd.exe 31 PID 2268 wrote to memory of 2528 2268 cmd.exe 31 PID 2528 wrote to memory of 2628 2528 pytgpksek.exe 32 PID 2528 wrote to memory of 2628 2528 pytgpksek.exe 32 PID 2528 wrote to memory of 2628 2528 pytgpksek.exe 32 PID 2528 wrote to memory of 2628 2528 pytgpksek.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\pytgpksek.exe "C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\pytgpksek.exeC:\Users\Admin\AppData\Local\Temp\\pytgpksek.exe "C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\Program Files\qckno\yqqlaqtv.exe"c:\Program Files\qckno\yqqlaqtv.exe" "c:\Program Files\qckno\yqqlaqtv.dll",Viewer C:\Users\Admin\AppData\Local\Temp\pytgpksek.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD5878ef37d63fb79ffd74a33077c35a929
SHA18ab5f569acb9198d7c2fc7078630a65763d986ef
SHA2562610c737eaa959409eb8027be738022ccecc6b1a07c3fbc9aaaf0dbfc755337b
SHA512e442afde088fff7ea73cb0945058b84c0eac88a314bb49254af46ad64b878d182bfc9b4da3242213ef33f37d763c02124a475cef825698dd3d435276e3f4163f
-
Filesize
89KB
MD5e8abe635fd50b239950e4848c70affe2
SHA123ec591f5bb62b0ff52b133d840432e15ddbb6a7
SHA256db05a231197824043f5efa07bc89dea879075a687e0d3ffb760e2e1ab8c56a9d
SHA512e5c8a44e32bb8b54b49264d82fb545f9367837bd2f43395eb36459c5c7210686cdc240185b9d377b97ac46e9175644ce5ef0f8f734bee3889cd84ad9a785460b
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d