Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:26
Behavioral task
behavioral1
Sample
a742802f48d6d4fc11a25da879e16e90_NEIKI.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a742802f48d6d4fc11a25da879e16e90_NEIKI.exe
Resource
win10v2004-20240419-en
General
-
Target
a742802f48d6d4fc11a25da879e16e90_NEIKI.exe
-
Size
130KB
-
MD5
a742802f48d6d4fc11a25da879e16e90
-
SHA1
7aee5fd0a9b7b5a8166bd8e802f0c409600dfda6
-
SHA256
dc606521d5ab8401ceca853bb4a828bc8c779940cbc6fcccfb832b567559ff92
-
SHA512
e1c4c43c757895555af56e300f0eea5c6d26b07db0c4e3d0c22102dd76ddaf9744603d25388e6e460c2ffb1f2526c9997bd8a9e8c2af00a0cd5bd060dba2105e
-
SSDEEP
1536:eH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmZt:SKQJcinxphkG5Q6GdpIOkJHhKRyOXKn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1552-50-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1552-48-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1552-52-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1552-51-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1552-44-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/1552-59-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a742802f48d6d4fc11a25da879e16e90_NEIKI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation a742802f48d6d4fc11a25da879e16e90_NEIKI.exe -
Executes dropped EXE 3 IoCs
Processes:
Flaseher.exeFlaseher.exeFlaseher.exepid process 3564 Flaseher.exe 4428 Flaseher.exe 1552 Flaseher.exe -
Processes:
resource yara_rule behavioral2/memory/556-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4732-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4732-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/556-11-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4732-12-0x0000000000400000-0x000000000040B000-memory.dmp upx C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe upx behavioral2/memory/3564-37-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-39-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-40-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-41-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-54-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4732-55-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4428-58-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a742802f48d6d4fc11a25da879e16e90_NEIKI.exeFlaseher.exedescription pid process target process PID 556 set thread context of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 3564 set thread context of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 set thread context of 1552 3564 Flaseher.exe Flaseher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Flaseher.exedescription pid process Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe Token: SeDebugPrivilege 4428 Flaseher.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
a742802f48d6d4fc11a25da879e16e90_NEIKI.exea742802f48d6d4fc11a25da879e16e90_NEIKI.exeFlaseher.exeFlaseher.exepid process 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe 3564 Flaseher.exe 4428 Flaseher.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
a742802f48d6d4fc11a25da879e16e90_NEIKI.exea742802f48d6d4fc11a25da879e16e90_NEIKI.execmd.exeFlaseher.exedescription pid process target process PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 556 wrote to memory of 4732 556 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe a742802f48d6d4fc11a25da879e16e90_NEIKI.exe PID 4732 wrote to memory of 2652 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe cmd.exe PID 4732 wrote to memory of 2652 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe cmd.exe PID 4732 wrote to memory of 2652 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe cmd.exe PID 2652 wrote to memory of 3048 2652 cmd.exe reg.exe PID 2652 wrote to memory of 3048 2652 cmd.exe reg.exe PID 2652 wrote to memory of 3048 2652 cmd.exe reg.exe PID 4732 wrote to memory of 3564 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe Flaseher.exe PID 4732 wrote to memory of 3564 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe Flaseher.exe PID 4732 wrote to memory of 3564 4732 a742802f48d6d4fc11a25da879e16e90_NEIKI.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 4428 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe PID 3564 wrote to memory of 1552 3564 Flaseher.exe Flaseher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a742802f48d6d4fc11a25da879e16e90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a742802f48d6d4fc11a25da879e16e90_NEIKI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\a742802f48d6d4fc11a25da879e16e90_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\a742802f48d6d4fc11a25da879e16e90_NEIKI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYKSJ.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f4⤵
- Adds Run key to start application
PID:3048 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5da0cbe87b720a79b294147ed6a4b98be
SHA1ebf0dc9efd7a12cb192e355cda87546acb4ab360
SHA2567ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed
SHA512f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc
-
Filesize
130KB
MD5104552b84abaf5727f61c845ae701546
SHA1fc9d9c9d7f644fedbaa5737b8fca2d5937b690f3
SHA256e0799b60fe18cf727e8c16f684ec68c6e8dd404b1866b596861f914d83700583
SHA5128e057987211eb41945328bba28b88e9e25bdce341e090e95237f7e99389787760ce6e8bca7b67f744bca0b5a7bf8e6f11f6129932492e11af10fa1cb94ea168d