Analysis
-
max time kernel
94s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
99f82160c7bac3224e22d19c4019fa00_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
99f82160c7bac3224e22d19c4019fa00_NEIKI.exe
Resource
win10v2004-20240508-en
General
-
Target
99f82160c7bac3224e22d19c4019fa00_NEIKI.exe
-
Size
52KB
-
MD5
99f82160c7bac3224e22d19c4019fa00
-
SHA1
74aad20a96c25a9f39abb815b566a6c43bc18984
-
SHA256
b14d6946d037909cb094a4704f3abc0ff837a6c86479dd11310fdfb36f100ee1
-
SHA512
b7e07ad7c50ef7e98574f011252e18495a3bd3e9ac8883e1096e71da17de8c01a997c6b52c1c58a0e24220cc3564b77a7b245f78366e1930416620ad665e318f
-
SSDEEP
768:WfxIlCAyUnBhPdyjF5Ahnkh/GeBxmuBuMV56W75/1H5F/syMABvKWe:WfrAV91kh/GSxmSuERPrMAdKZ
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe -
Executes dropped EXE 1 IoCs
pid Process 1680 Nkcmohbg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nkcmohbg.exe 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe File created C:\Windows\SysWOW64\Hnibdpde.dll 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4800 1680 WerFault.exe 80 -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2848 wrote to memory of 1680 2848 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe 80 PID 2848 wrote to memory of 1680 2848 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe 80 PID 2848 wrote to memory of 1680 2848 99f82160c7bac3224e22d19c4019fa00_NEIKI.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\99f82160c7bac3224e22d19c4019fa00_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\99f82160c7bac3224e22d19c4019fa00_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 4003⤵
- Program crash
PID:4800
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1680 -ip 16801⤵PID:3372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5072c030406a1443208b2b0fa538d2b9d
SHA12bebcc8ffce0ad920d7bd16ca7fb011393bdbbd3
SHA256cf4127d173e6e14bc4a7b406b8c16a8ccd6a4265fc439b51504a1ff2d67a3727
SHA5127b4d1afac9f3482162945c8b6ca3fe8dcf9641090e74e6b9abe3a555bc82306539298731b9c8ac14386971bfbe8fd86cd4391eb79eac27abf8a4750e8b203f7b