Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe
-
Size
397KB
-
MD5
8c2ab7d7bd20f8a8b92dbe5779ac4320
-
SHA1
65c75835b540175d33ab67583f98626711de74e5
-
SHA256
79d309dcae873685245924766520ef95497e9f4054d9a6540bb0acec36c993ca
-
SHA512
4a35b2dedb9d391d9cac9952c3526abec496b8215040237bc10f745e769159b44512a7c1d72d07e2b944e97d48247003fc83f22ae2c398fa34662c87f3075195
-
SSDEEP
12288:vdDU6g13sJd1fm/+yb3O2jg82ydU/DdKumy:vdE3sJd1fm/+yb3OYg84/JHJ
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2296 hzlvi.exe -
Executes dropped EXE 2 IoCs
pid Process 2296 hzlvi.exe 3056 onhs.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 onhs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIEW = "c:\\Program Files\\wsnzdf\\onhs.exe \"c:\\Program Files\\wsnzdf\\onhsz.dll\",Viewer" onhs.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: onhs.exe File opened (read-only) \??\s: onhs.exe File opened (read-only) \??\u: onhs.exe File opened (read-only) \??\l: onhs.exe File opened (read-only) \??\m: onhs.exe File opened (read-only) \??\n: onhs.exe File opened (read-only) \??\p: onhs.exe File opened (read-only) \??\r: onhs.exe File opened (read-only) \??\b: onhs.exe File opened (read-only) \??\e: onhs.exe File opened (read-only) \??\g: onhs.exe File opened (read-only) \??\h: onhs.exe File opened (read-only) \??\i: onhs.exe File opened (read-only) \??\o: onhs.exe File opened (read-only) \??\w: onhs.exe File opened (read-only) \??\x: onhs.exe File opened (read-only) \??\y: onhs.exe File opened (read-only) \??\z: onhs.exe File opened (read-only) \??\a: onhs.exe File opened (read-only) \??\k: onhs.exe File opened (read-only) \??\q: onhs.exe File opened (read-only) \??\t: onhs.exe File opened (read-only) \??\v: onhs.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 onhs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files\wsnzdf\onhsz.dll hzlvi.exe File created \??\c:\Program Files\wsnzdf\onhs.exe hzlvi.exe File opened for modification \??\c:\Program Files\wsnzdf\onhs.exe hzlvi.exe File opened for modification \??\c:\Program Files\wsnzdf hzlvi.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 onhs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString onhs.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2140 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3056 onhs.exe 3056 onhs.exe 3056 onhs.exe 3056 onhs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 onhs.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3004 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 2296 hzlvi.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3004 wrote to memory of 372 3004 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 90 PID 3004 wrote to memory of 372 3004 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 90 PID 3004 wrote to memory of 372 3004 8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe 90 PID 372 wrote to memory of 2140 372 cmd.exe 92 PID 372 wrote to memory of 2140 372 cmd.exe 92 PID 372 wrote to memory of 2140 372 cmd.exe 92 PID 372 wrote to memory of 2296 372 cmd.exe 93 PID 372 wrote to memory of 2296 372 cmd.exe 93 PID 372 wrote to memory of 2296 372 cmd.exe 93 PID 2296 wrote to memory of 3056 2296 hzlvi.exe 94 PID 2296 wrote to memory of 3056 2296 hzlvi.exe 94 PID 2296 wrote to memory of 3056 2296 hzlvi.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\hzlvi.exe "C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\hzlvi.exeC:\Users\Admin\AppData\Local\Temp\\hzlvi.exe "C:\Users\Admin\AppData\Local\Temp\8c2ab7d7bd20f8a8b92dbe5779ac4320_NEIKI.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\Program Files\wsnzdf\onhs.exe"c:\Program Files\wsnzdf\onhs.exe" "c:\Program Files\wsnzdf\onhsz.dll",Viewer C:\Users\Admin\AppData\Local\Temp\hzlvi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:81⤵PID:3712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
397KB
MD52a3ed2e57e92de0f36159c6ebb68d9cc
SHA177e423cfdb6be3f03636fb2c75b3abec9e51e2b5
SHA256a91d4717bc7c5ea378352c7eb2d0544759454102e5f8b0909000738ab2b4c53b
SHA5122f838291de1cc83b435d3ed3f956e0852a913652ec3378e328f29ab8c474dc5a6ceb5d5d1850e2c4f909fb397bab9e65936b0547c842ceff48e53faae40a0911
-
Filesize
89KB
MD5683787a6e2871504f342dd6231b8337e
SHA1d66240e1e4af115132463d5e9d3b4fb344d2807f
SHA2562e892f22283ee9d4c11e99d020936a03d4d3519294a1e603a817ee9b401c7355
SHA512c5dbea0a2874aaac7f5de774e992b8e1e5edf67e694723ac85cf2995ba68a6a9906ac7a3f43755d24becb4237ad6727ba29b10d3592fafe35bad25223e1f8a4b