Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:55
Behavioral task
behavioral1
Sample
b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe
Resource
win7-20240221-en
General
-
Target
b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe
-
Size
1.1MB
-
MD5
b0600586fc73f66cf4c5f4024c842ec0
-
SHA1
d0419f487fda110bb383b48732c2c5b8af0ac9bf
-
SHA256
065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f
-
SHA512
8770a43e6b28c93083985ae92fd1ff03f915ee12b5e18798e5f36e06283a54b362a2cc8e0e4f7b3a4d83c3a2584fb8f719036ae194ce720cc49294c9b6289000
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZcnDP7:E5aIwC+Agr6S/FFC+L7
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/1940-15-0x0000000002200000-0x0000000002229000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exepid process 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exedescription pid process Token: SeTcbPrivilege 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe Token: SeTcbPrivilege 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exepid process 1940 b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeb0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exedescription pid process target process PID 1940 wrote to memory of 2188 1940 b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe PID 1940 wrote to memory of 2188 1940 b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe PID 1940 wrote to memory of 2188 1940 b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 2188 wrote to memory of 4448 2188 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 1804 wrote to memory of 2952 1804 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe PID 4896 wrote to memory of 2756 4896 b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\b0600586fc73f66cf4c5f4024c842ec0_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4448
-
C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2952
-
C:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\b0700697fc83f77cf4c6f4024c942ec0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b0600586fc73f66cf4c5f4024c842ec0
SHA1d0419f487fda110bb383b48732c2c5b8af0ac9bf
SHA256065c5a58fda3891a107fc06dfcc7927e67646f0f5ac27f052bfdbd4ecce0257f
SHA5128770a43e6b28c93083985ae92fd1ff03f915ee12b5e18798e5f36e06283a54b362a2cc8e0e4f7b3a4d83c3a2584fb8f719036ae194ce720cc49294c9b6289000
-
Filesize
35KB
MD5d0798ba15980687f02678721f81818e5
SHA1986e3a4815c2515c194c240ca9082f759d049ad1
SHA256a8465a0390a2ee77662a154ac55657c21a0f55e1311ddcc98205a5899ec56c42
SHA5127e1186ecd31cad7b7b244e7447eca59f6fdb9440baf067b090707677b4e34584d094613b16b1a4fcd29d264ee7215de73fcc070ebe993c921566b1174ac503dd