dd7467738512b9603334153bde4652ea2444a4669ebcb6baa7141faf03114f74

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f350d379270217a49fa1eb203eebdd00_NEIKI.exe
Size

212KB
MD5

f350d379270217a49fa1eb203eebdd00
SHA1

d5bf05c41f9e7952a64486ce9ceccb789bd62f87
SHA256

dd7467738512b9603334153bde4652ea2444a4669ebcb6baa7141faf03114f74
SHA512

06653fbdf22f23bba6dd2ec5df32a923a7e68c803a6c96659d397ecee04f61c3498f4593dd33696cbf8f2c020e1153fe0d57121d725eb193dbdba3d928313d5d
SSDEEP

6144:h21crm+ZOg64KpxxbxDxxxx155nZxs1UoK8I:02mCOF4KxxbxDxxxx15VZxWI

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2708	wrvdfyg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wrvdfyg.exe	f350d379270217a49fa1eb203eebdd00_NEIKI.exe
File created	C:\PROGRA~3\Mozilla\klztrnd.dll	wrvdfyg.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1592	f350d379270217a49fa1eb203eebdd00_NEIKI.exe
2708	wrvdfyg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2708	2356	taskeng.exe	29
PID 2356 wrote to memory of 2708	2356	taskeng.exe	29
PID 2356 wrote to memory of 2708	2356	taskeng.exe	29
PID 2356 wrote to memory of 2708	2356	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\f350d379270217a49fa1eb203eebdd00_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\f350d379270217a49fa1eb203eebdd00_NEIKI.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1592

C:\Windows\system32\taskeng.exe
taskeng.exe {0E1914F5-9A75-4447-B567-DF893CAAE6F8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\PROGRA~3\Mozilla\wrvdfyg.exe
  C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wrvdfyg.exe

Filesize
212KB

MD5
198cf55fcbbd104e8216c0a80e708581

SHA1
927b7303328071749fc4f2d9a67f46125a195bc8

SHA256
d5519000d02ebdd067ff7b1d9231e572c7cc28354d3249813fac187fdcc01781

SHA512
1902035b7cfb93eeb11e33a69cddc0b1ff38af0c28be71ead8f7e23f47de1315a2261ba409db722696db212b13b9adc4d5cb4eb3b0441e79d3bcd31d7b671fd8

Download Submit
memory/1592-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1592-1-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1592-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1592-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-7-0x0000000000590000-0x00000000005EB000-memory.dmp

Filesize
364KB

Download
memory/2708-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2708-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download